Pinning has a lot of problems. Copied from our Comparison [1] docs:
Both TACK and HPKP are mechanisms for doing public key pinning for individual websites.
These mechanisms are similar to how SSH uses a known_hosts file to store the fingerprints of public keys it encounters on a "Trust-On-First-Use" ("TOFU") basis.
The problem with these mechanisms is:
* They don't protect on first visit.
* They break websites when the public key needs to legitimately change.
* In the case of TACK, the TACK public key needs to change very frequently (at least every 30 days). This defeats the purpose of pinning, as a MITM does not need to wait long before they can present a fraudulent key that the user has no way to know is legitimate.
* These mechanisms assume that client software has its current time set properly, and they break when that's not true.
While DNSChain does use public key pinning, it doesn't have these problems because there is only one pin that is ever required: the pin to DNSChain itself, which is easily verified once only at setup.
Both TACK and HPKP are mechanisms for doing public key pinning for individual websites.
These mechanisms are similar to how SSH uses a known_hosts file to store the fingerprints of public keys it encounters on a "Trust-On-First-Use" ("TOFU") basis.
The problem with these mechanisms is:
* They don't protect on first visit.
* They break websites when the public key needs to legitimately change.
* In the case of TACK, the TACK public key needs to change very frequently (at least every 30 days). This defeats the purpose of pinning, as a MITM does not need to wait long before they can present a fraudulent key that the user has no way to know is legitimate.
* These mechanisms assume that client software has its current time set properly, and they break when that's not true.
While DNSChain does use public key pinning, it doesn't have these problems because there is only one pin that is ever required: the pin to DNSChain itself, which is easily verified once only at setup.
[1] https://github.com/okTurtles/dnschain/blob/master/docs/Compa...