# DNSSEC Will Kill Commercial CAs

If I want to use an <abbr title="Secure Socket Layer">SSL</abbr> certificate on
my website which is trusted by the majority of web browsers, I need to pay a
commercial certificate authority for one. Generally all the <abbr
title="Certificate Authority">CA</abbr> does is verify that I'm the domain
owner, and then sign my certificate with their trusted certificate.

If there were a standardised way of doing it, I could just generate my own
certificate and stick a hash of it in my DNS zone. That would prove that the
certificate came from somebody who controls the domain. DNS doesn't use a secure
delivery mechanism, but adding [DNSSEC](https://dnssec.net/) gives it one.

The good thing about doing it this way is that both systems can work alongside
each other. Those who don't want to pay a commercial CA for a trusted
certificate can just configure up DNSSEC on their zone, and then add the
certificate hash.

A number of <abbr title="Top Level Domains">TLD</abbr>s are already signed and
the root zone will be signed this July. com and net will be signed at the
beginning of next year. DNSSEC is on its way.