PKA support
Jakob Bohm
jb-gnumlists at wisemo.com
Fri Apr 10 16:23:40 CEST 2026
On 10/04/2026 09:41, Klaus Ethgen wrote:
> Hi,
>
> Am Fr den 10. Apr 2026 um 8:28 schrieb Werner Koch:
>> And: DNS is not more secure given all the problems and the move from DNS
>> to HTTPS based DNS lookup in the browsers.
> Well, if you do DNSSEC, it is much more secure than HTTPS. However, the
> problem is, that major players do not care about implementing it. For
> example, Hetzner does still not allow to add DNSSEC glue to the
> registration. There was a solution for this but isc closed it down as
> "all country toplevel domains support DNSSEC", fully ignoring that the
> registrars don't.
>
> Another problem are such players as big tech making it hard to have use
> of DNSSEC.
Plus the major design flaw that DNSSEC is an automatic footgun. Any
failure to regularly apply your signature refresh scripts with access
to your secret keys causes the signed domain/zone to become unreadable.
That scenario may be triggered by loss of the private key (think lost
equipment) and/or any unfortunately timed interruption in ability to
run the scripts.
This is in contrast to GPG and S/MIME where the same scenario just
results in a warning that the data was signed with an expired key.
As a result, I have had to abandon DNSSEC for domains I manage
despite the registrar supporting it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the Gnupg-users
mailing list