> until an attacker gets access to DNS, stores a record with a TTL of 1 year,

DNSSEC may have problems, but that's not how the trust model works. Also signing is separate from authoritative DNS, so you'd need to compromise the signing itself, not just DNS. Should that happen, you are still limited by the upstream record siganture lifetime.

On the other front (Chrome), their crlset-tools [1] just fetched me 64k (~1.1MiB) of revoked certs just fine, contrary to the article (quote: "After retrieving and running this tool, I was surprised to see a total of 1,081 revoked certificate serial numbers in this list. This seems oddly low.")

[1] https://github.com/agl/crlset-tools

If DANE were to roll out to browsers, I think plenty of people would rather use it than centralizing on Let's Encrypt.

DNSSEC isn't easy, but either is certbot. DNSSEC also isn't that hard if you're not self-hosting your DNS servers (and even then it's easy if you pick a modern DNS server).

Most domains seem to use their registrars free DNS servers. For those domains, DNSSEC is often just a checkbox. I just activated DNSSEC on three domains by hitting that checkbox. A certbot-style tool can use the same API many existing certbot plugins already provide access to for setting up DANE.

However, until browsers actually implement DANE, it's pretty useless. I know some people use it for mail servers (for some reason, don't see why they can't use Let's Encrypt for that) but even there it's optional.

> Interests of the existing PKI industry may be the source of some friction, but the bigger issue is that DANE depends on DNSSEC, which is not widely deployed, and sometimes actively avoided due to its complexity and ease of breaking you site.

I have a feeling it is "actively avoided" because vendors don't want to lose control of the cert ecosystem. Allowing user to just generate a domain for themselves means it will never get logged in central log and so can't be automatically found by crawlers by the big guys

Good that at least BGP is secure.

> Revocation is an emergency measure, not a routine one. That's ok.

Rather the opposite: revocation is the one time it actually matters, so your infrastructure shouldn't come to a grinding halt when it happens!

Let's say a party like LetsEncrypt needs to do a mass revocation of all certificates. Unlikely, but it has happened before. This is going to instantly blow up the CRL from perhaps a few thousand to 700 million entries. Force every browser to download that regularly and you've essentially accidentally created a DDoS on LetsEncrypt's CRL service.

And how do you want the browser to respond? Fail-closed and you've just created a method to take 80% of the internet offline by DDoSing a single service, fail-open and you've just created a method for an attacker to bypass certificate revocation entirely.

With critical infrastructure like this you can't get away with only thinking about the happy path. It should always work - even in emergencies.

Agreeing with my sibling commenter, this writer is extremely experienced and has been writing this blog for many years. I’d be appalled if this were LLM-written, but thankfully it reads with the same style and tone that he’s always had.

> Revocation is an emergency measure, not a routine one. That's ok.

At the scale modern CAs operate, even emergency measures (i.e. measures that are an emergency for the party receiving the leaf cert) are also routine for the CA/the party granting the leaf cert.

> Because DNS' multilayered caching makes it notoriously impossible to operate safely or debug.

That is not a problem for certs, you are not changing it every second. And the "impossible to operate or debug" is just plain failse or incompetence

> Most large outages already originate in DNS issues; putting the crypto in that layer would redouble it.

That is also just not true. Also, outage of DNS coz someone fucked up configuration management somewhere is not caused by anything related to DNS, it just so happens DNS is essential so any problem is visible.

The author has a long history of quality content and should be considered experienced in his field of doing.

In addition to what other commenters have said, it's a copy of a post on their personal blog: https://www.potaroo.net/ispcol/2026-04/revocation.html

On revocation, check out https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Progra... I don't think any CA hasn't had an issue with revocation at some point (e.g. Let's Encrypt had a major one in 2021, and refused to revoke), which is why Let's Encrypt is moving to 7 day certs (so that revocation isn't required, basically https://www.imperialviolet.org/2011/03/18/revocation.html which is mentioned in the article). My impression is CRLs (and by implication current revocation methods) don't work, and browsers are effectively fudging around CAs with custom methods (e.g. allowing existing certs but no new certs from distrusted CAs).

I'm no security expert, but modern bind9 seems to just handle DNSSEC with no issues when I've used it, and given that the "WebPKI" seems is becoming more and more reliant on custom browser code, adopting DANE outside browsers might not be the worst idea.

looks like so, the emojies are dead give away.

I am not against using LLMs, but the author should have validated the contents before posting.