On Wed, Sep 23, 2015 at 4:55 PM, Simon Josefsson <simon@xxxxxxxxxxxxx> wrote:
Eliot Lear <lear@xxxxxxxxx> writes:
> The good news is that this should be observable by the user. That is,
> he should be able to query the domain for his own public key and
> compare.
The user can't detect it reliably, I believe, at least not until we have
something like a Certificate Transparency project for DNSSEC data.
/Simon
+1. This is a good idea. More sunlight on (DNS, web, other) certificates is a good thing.
I have no particular problem with keyservers remaining outside of the DNS payload ecology btw. I feel this is a bit like discussions of OCSP: wonderful idea, no traction. Thats what keyservers feel like.
DNSSEC has compelling qualities of ubiquity and reach, combined with signed chain. John Levine's argument takes me to believe there is no innate value-add from the DNSSEC in the fetch of the data over any other path, but it is ubiquitous, and widely distributed where keyserver.pool.org is inherently scale-nasty until somebody in CDN land steps in to make it scale.
-G