against dnssec

Björn Persson Bjorn at xn--rombobjrn-67a.se
Sat Jan 17 21:01:57 UTC 2015 

Neal Becker wrote:
>I personally know nothing of the subject, but found this article, I
>wonder if there's any truth here?  If so, maybe the push for dnssec on
>f22 isn't as wonderful as supposed:
>
>http://sockpuppet.org/blog/2015/01/15/against-dnssec/


"DNSSEC is Unnecessary"

His argument seems to be that DNSSEC isn't a panacea and therefore it's
useless, which is obviously flawed logic.


"DNSSEC is a Government-Controlled PKI"

He says that DANE, which relies on DNSSEC, is supposed to replace the CA
system. As far as I can tell DANE is designed to be useful both alone
and in cooperation with CAs.

Both CAs and DNSSEC can be attacked by governments in different ways.
The author thinks that DNSSEC is more vulnerable. I happen to disagree,
but more importantly, those who feel that they need to can secure their
keys both through DANE and with a certificate from a CA. Using two
independent methods of verification in parallel is never less secure
than using only one of them.


"DNSSEC is Cryptographically Weak"

He claims that many keys currently in use aren't strong enough, and
makes it sound like that's a design flaw in the protocol itself. He
neglects to mention that DNSSEC by design allows both variable key
lengths, frequent key changes and specification of new ciphers.


"DNSSEC is Expensive To Adopt"

Here his point is that expired signatures can make DNS lookups fail when
they would have succeeded without DNSSEC. This is true. There is always
some price for security, but that's not automatically an argument for
giving up security. DNS administrators will simply have to establish
robust routines for renewing their signatures.


"DNSSEC is Incomplete"

He complains that DNSSEC doesn't secure the link between the recursive
resolver and its client. That's exactly what people are working to fix
by running a local validating resolver.


"DNSSEC is Unsafe"

"Authenticated denial. Offline signers. Secret hostnames. Pick two."
OK, then I'll pick authenticated denial and offline signers. Hostnames
have never been secret. DNS lookups are unencrypted, so every time you
look up a name you tell any snoopers that that name exists. Why would
you need secret hostnames anyway?

-- 
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150117/9de25342/attachment.sig>

More information about the devel mailing list