I don't know if DNSSEC is over-complicated or badly designed; I haven't really looked into it. Unlike the others, DNSSEC could work at least in theory because it knows what edge of Zooko's triangle it's trying to live on.
However:
(*) DNSSEC would only ever work if everyone who got a domain got a DNSSEC delegation as a matter of course. That's directly against the commercial interests of Verisign, who sell SSL certificates and now seem to control the domain system.
(*) The DNSSEC designers made some bad choices: they wanted all subdomains to be securely enumerable from the root domain, so that you could get secure assurance of a negative answer. People really, really don't like that. They should have allowed negative answer signing to be delegated to an ephemeral key that lived on the DNS server itself and wasn't empowered to sign much else.
(*) It only covers one edge of Zooko's triangle in any case; I want to leave the world where we all try and live on that one edge.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2007-02-19 11:23 am (UTC)However:
(*) DNSSEC would only ever work if everyone who got a domain got a DNSSEC delegation as a matter of course. That's directly against the commercial interests of Verisign, who sell SSL certificates and now seem to control the domain system.
(*) The DNSSEC designers made some bad choices: they wanted all subdomains to be securely enumerable from the root domain, so that you could get secure assurance of a negative answer. People really, really don't like that. They should have allowed negative answer signing to be delegated to an ephemeral key that lived on the DNS server itself and wasn't empowered to sign much else.
(*) It only covers one edge of Zooko's triangle in any case; I want to leave the world where we all try and live on that one edge.