Replies: 1 comment 2 replies
-
|
I mentioned this in person at KubeCon but I want to reiterate: I would recommend against supporting DNS. Doing it via HTTPS provides cryptographic integrity. DNS only provides it if using DNSSEC which is not widely deployed. If I do not have DNSSEC on my domain, somebody else could spoof my DNS zone and provide a TXT record to their code, even if I do not want to use DNS for this. |
Beta Was this translation helpful? Give feedback.
-
|
If someone can spoof your DNS zone, surely they can spoof the A record too, and acquire an SSL cert via LetsEncrypt and thus spoof the HTTPS site too? I'm not entirely convinced that either is more secure than the other, but happy to hear arguments otherwise. |
Beta Was this translation helpful? Give feedback.
-
|
OK by that logic HTTPS would be worthless ;) You are not wrong, but CAs take extra care to avoid their DNS being spoofed, like using multiple network paths. If they issue a wrong certificate, that's on them. There is no need to take this on yourself :) Also any issued certificates will show up in Certificate Transparency logs, so that attack is impossible to hide. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
This proposal tracks adding support for custom ("vanity") domains to the Central Registry.
The initial design document is at https://github.com/cue-lang/proposal/blob/main/designs/3954-vanity-domains.md
Note: the initial design is already implemented and deployed as an experiment.
This discussion should be used for feedback on both the current implementation and for any ideas about its future.
Beta Was this translation helpful? Give feedback.
All reactions