== Link: Against DNSSEC by Thomas Ptacek

[[Against DNSSEC http://sockpuppet.org/blog/2015/01/15/against-dnssec/]]
by [[Thomas Ptacek http://sockpuppet.org/]] ([[@tqbf
https://twitter.com/tqbf]]) is what it says in the title; lucid and
to my mind strong reasons against using or supporting DNSSEC.  I've
heard some of these from [[@tqbf]] before in Tweets (and others are
ambient knowledge in the right communities), but now that he's
written this I don't have to try to dig those tweets out and make
a coherent entry out of them.

For what it's worth, from my less informed perspective I agree with
all of this. It would be nice if DNSSEC could bootstrap a system
to get us out of the TLS CA racket but I've become persuaded (partly
by [[@tqbf]]) that this is not viable and the cure is at least as
bad as the disease. See eg [[this Twitter conversation
https://twitter.com/thatcks/status/530141436637761537]].

(You may know of Thomas Ptacek from the days when he was at Matasano
Security, where he was the author of such classics as [[If You're
Typing the Letters A-E-S Into Your Code You're Doing It Wrong
http://chargen.matasano.com/chargen/2009/7/22/if-youre-typing-the-letters-a-e-s-into-your-code-youre-doing.html]].
See also eg [[his Hacker News profile
https://news.ycombinator.com/user?id=tptacek]].)

Update: there's a Hacker News discussion of this with additional
arguments and more commentary from Thomas Ptacek [[here
https://news.ycombinator.com/item?id=8894902]].