For example Thomas likes Let's Encrypt but he's stuck with his narrative about how nothing uses DNSSEC. So when you point out that Let's Encrypt uses DNSSEC so this position makes no sense, Thomas will just pretend not to understand and refer you back to stuff he wrote many years ago about how nothing uses DNSSEC.

LetsEncrypt does not rely on DNSSEC and does multi-perspective DNS lookups. Something significantly south of 0.5% of LetsEncrypt certificates ever involve DNSSEC.

If DNSSEC vanished tomorrow, literally nothing about LetsEncrypt would change. There would be no operational impact whatsoever.

Not that there's anything wrong with the pieces I wrote "years ago" about DNSSEC (nothing material has changed about it since I wrote that), but I didn't do that here: I provided new evidence that nobody is using DNSSEC, and it is up-to-the-minute. Practically no mainstream sites use DNSSEC, as everyone can see for themselves at the link at the root of this thread.

Those "multi-perspective" validations have been stalled for over a year. The last news is from August 2017. Unlike many issuers Let's Encrypt notoriously does fresh validations for most issuances and they start with a DNSSEC validated authoritative DNS query chain. So, that's 100% of validations, and perhaps 95% of all issuances. Not 0.5% as you've claimed.

When you wrote your jolly screed against DNSSEC the biggest CAs relied heavily on "Any other method" blanket exemptions which no longer exist today. They also used to insist that their extremely high issuance rates made DNSSEC and other security features just infeasible.

After CT this last part got awkward. Where, a neutral party like me might ask, are the doubtless hundreds of millions of certificates you've been issuing that would make this so hard? And of course they don't exist, it was a bluff and now their bluff has been called.

An infinitesimal fraction of the domains LetsEncrypt issues certificates for are signed. I kind of don't understand how you're even trying to make this argument. Everyone here who has ever set up LetsEncrypt knows there's no DNSSEC involved. LetsEncrypt does not depend on DNSSEC; if DNSSEC vanished tomorrow, there would be no operational impact.

Here, try this: search for "LetsEncrypt tutorial", go through the first two search pages, and find one that says "to start with, sign your domain with DNSSEC". Not one in my search results mentions DNSSEC. That's because: nobody cares.

DNSSEC not protecting those who choose not to be protected is entirely to be expected.

Should I assume you figured "nobody cares" about the Web PKI back just a few years when tutorials wouldn't have mentioned TLS? Were people who said that right? Or wrong?

I'm sorry, I can't understand what you're trying to argue at this point. My argument is simply that LetsEncrypt doesn't depend on DNSSEC, and, indeed, it does not.

Me describing how these conversations go: > Thomas will just pretend not to understand

Thomas just now: > I'm sorry, I can't understand what you're trying to argue

Let's Encrypt does today depend on DNSSEC because it uses a DNSSEC verifying validator. If you have chosen not to sign names of course your names aren't protected by this, names which are signed are protected.

In a similar way, Firefox does today depend on the Web PKI because it uses NSS, a TLS implementation with a certificate validator baked into it. If you have chosen not to use HTTPS of course your sites aren't protected by this, sites which use HTTPS are protected.

You're simply using a different definition of "depend" than I am.

When you say "it does depend", you mean that in the rare cases where a domain owner has chosen (weirdly) to sign with DNSSEC, LetsEncrypt will enforce DNSSEC validation on that domain.

When I say "it does not depend", I mean that the basic functioning of LetsEncrypt does not in any way rely on DNSSEC. As I've said in the last several comments, LetsEncrypt will continue to function just fine when DNSSEC goes away, and a security failure in DNSSEC (for instance: if the root keys were posted to Pastebin) would literally not impact LetsEncrypt --- today's LetsEncrypt! --- at all.

I'm fine with you using the word "depend" to mean "uses, in any situation, ever", but you're clear now on what we're trying to say, and the semantic part of the debate should be over.