Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You are going to complain that the key sizes are too small despite the guidelines being updated a long time ago. Then you will argue adoption of larger keys sizes is to low. Then you will argue that we should just not sign domain name authority delegation records at all (i.e. DNSSEC) and that we should abandon shoring up authenticated DNS because there is no adoption.

You have any cryptographers that are satisfied with unauthenticated name server checks?



Yes? Lots of them? But also: you didn't answer my question.


Okay, but after this I have to go back to work.

You got a point: 1k isn't great and of course mainstream cryptographers will advocate for higher. That doesn't change that it's still acceptable within the existing security model nor that better alternatives are available. The cryptographic strength of DNSSEC isn't a limiting factor that fatally dooms the whole project. We have to upgrade the crypto used in large-scale infrastructure all the time!

And yes, uptake of better crypto is poor but I find chicken-and-egg arguments disingenuous when coming from someone who zealously advocates to make it worse. Furthermore, your alternative is no signing of DNS records. Find me a cryptographer who thinks no PKI is a better alternative. I know DJB griped about DNSSEC when proposing DNSCurve, which protects the privacy of the payload but not the intergrity of the payload.


Is this a bot gone rogue? Parent asked for a person, and you are shadow-boxing with unasked questions.


The question was "can you find me some reputable cryptographers that support your position?" which is just ad hominem and should be ignored as such, except it does indicate that the person asking it doesn't have any better argument than ad hominem.


If you think tptacek has no better arguments then you're sorely mistaken.

And implying that someone is unqualified is not in fact ad hominem. The desire to interview a disagreeing expert doesn't look fake either.


I didn't imply that anyone was unqualified, for what it's worth.


> which is just ad hominem

I dont really think it is. The original person claimed that the reason dnssec was unpopular was due to FUD. I think in that context its a fair question to ask what experts think.

For it to be an ad hominem, the person has to claim that the argument is wrong because of who they are. But that is not the claim here. The claim is that their argument that dnssec hate is unjustified FUD is wrong because experts (who presumably by virtue of being experts) are not susciptible to FUD, also do not think dnssec is a good idea. Thus it is directly attacking the argument and not the person, and hence not an ad hominem.


Sorry, but I asked who's the most reputable cryptographer you can think of who publicly supports DNSSEC? I asked because we'd like to interview them on SCW.


More rhetorical dunking instead of engaging with the substantive technical issues. I'm done.


More random complaints instead of engaging with the substantive question.

You replied to a two sentence post asking for a name. What do you expect to happen when you do that? If you want to debate the merits, reply anywhere else.


That is a weird answer to a very simple question but I'll take that as "I can't think of any". Someone else can answer instead.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: