Oddbean new post about | logout
 Indeed, your domain registrar can always rug you by pointing a record to their own server and issuing a fresh https certificate.

Meanwhile DNSSEC is easier to verify, @matt wrote some Rust code for it, unlike https which only browsers can.

Privacy downside in is having to fetch the TXT record with the proof somehow, e.g. with DNS-over-HTTP. But you could have relays share the records. 
 I'm not sure there's any downside with the DNS option, as you have to do anyway a DNS resolution also in the HTTPS option. 
 Assuming it's a shared domain, then by querying for the sjors@ TXT record I'm revealing that (to e.g. Google if doing dns over http).

Whereas with https I'm only revealing the domain at the dns level. But then the server knows exactly what I asked for. 
 Yes, that's true for a shared domain, yes.
The TXT record points out directly to the final user. True.

On the other hand, DNS architecture allows the user to hide behind a DNS recursive server (from the ISP, institution, DoH providers, etc), whereas it's easier to leak your final IP to the HTTPS server (if you don't user a webproxy).

Different privacy compromises, I guess.