against dnssec
Paul Wouters
paul at nohats.ca
Sun Jan 18 03:52:20 UTC 2015
On Sun, 18 Jan 2015, Kevin Kofler wrote:
This is becoming rather of-topic for DNS. I think they key thing to
remember is that DNSSEC reduces the number of parties that can send
malicious or forged DNS messages from "infinite" to "a few" and where
these "few" are also part of the current "infinite".
Additionally, while Thomas might think that DNSSEC is not happening yet,
the truth is we've past the point of no return. Not supporting DNSSEC
is no longer an option.
> Reindl Harald wrote:
>> in fact DNSSEC is the prerequisite for
>> http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
>> which has the potential to replace the horrible need of CA signed
>> certificates for SSL which are in fact *completly* unrelieable because
>> every random of the thousands entities your browsers trusts can sign any
>> random domain certificate
>
> The article also addresses (or claims to address) that, claiming that DANE
> only moves us from private cartel control to government control, which is
> not necessarily an improvement.
It does not move. It gives you a choice to do either, both are a lot
more.
Furthermore, "government control is a simplistic overstatement". For
one, some government is in control of the TLD to begin with. They
can yank your domain or serve it with arbitrary content, regardless
of whether your certificate is validated by CA/PKIX or DNSSEC/DANE.
Second, unless you are going to vouch for every domain you visit
personally, you are going to have to outsource that trust somehow.
What DNSSEC does is reduce the number of players that can make
claims about your TLS certificate/key from 600+ in the PKIX world
to about 5 in the DNSSEC world. Of those 5 entrusted with this trust,
there is a strong incentive not to be caught signing rogue stuff.
Certificate Transparency (CT) (RFC-6962bis) and CT for DNSEC (early
proposal stages) add an "X out of Y" mode to further motivate those
players with private keys in their hands not to get caught handing out
targeted malicious data.
Trusting no one is easy. Picking a few trustworthy parties is hard.
In the last round of "we cannot trust governments for DNS, let's use
the peer to peer dns and use the blockchain", I wrote up:
https://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/
Paul
More information about the devel
mailing list