DNSSEC Will Kill Commercial CAs

Written 7 years ago by Mike Cardwell

If I want to use an SSL certificate on my website which is trusted by the majority of web browsers, I need to pay a commercial certificate authority for one. Generally all the CA does is verify that I’m the domain owner, and then sign my certificate with their trusted certificate.

If there were a standardised way of doing it, I could just generate my own certificate and stick a hash of it in my DNS zone. That would prove that the certificate came from somebody who controls the domain. DNS doesn’t use a secure delivery mechanism, but adding DNSSEC gives it one.

The good thing about doing it this way is that both systems can work alongside each other. Those who don’t want to pay a commercial CA for a trusted certificate can just configure up DNSSEC on their zone, and then add the certificate hash.

A number of TLDs are already signed and the root zone will be signed this July. com and net will be signed at the beginning of next year. DNSSEC is on its way.

Looking to hire somebody like me? I'm open to offers of full time employment and small contract jobs. Check out my hiring page. You can follow this Blog using RSS or . To read more, visit my blog index.

Feeling generous?BitcoinMoneroZcashPaypal