Neal Becker wrote: >I personally know nothing of the subject, but found this article, I >wonder if there's any truth here? If so, maybe the push for dnssec on >f22 isn't as wonderful as supposed: > >http://sockpuppet.org/blog/2015/01/15/against-dnssec/ "DNSSEC is Unnecessary" His argument seems to be that DNSSEC isn't a panacea and therefore it's useless, which is obviously flawed logic. "DNSSEC is a Government-Controlled PKI" He says that DANE, which relies on DNSSEC, is supposed to replace the CA system. As far as I can tell DANE is designed to be useful both alone and in cooperation with CAs. Both CAs and DNSSEC can be attacked by governments in different ways. The author thinks that DNSSEC is more vulnerable. I happen to disagree, but more importantly, those who feel that they need to can secure their keys both through DANE and with a certificate from a CA. Using two independent methods of verification in parallel is never less secure than using only one of them. "DNSSEC is Cryptographically Weak" He claims that many keys currently in use aren't strong enough, and makes it sound like that's a design flaw in the protocol itself. He neglects to mention that DNSSEC by design allows both variable key lengths, frequent key changes and specification of new ciphers. "DNSSEC is Expensive To Adopt" Here his point is that expired signatures can make DNS lookups fail when they would have succeeded without DNSSEC. This is true. There is always some price for security, but that's not automatically an argument for giving up security. DNS administrators will simply have to establish robust routines for renewing their signatures. "DNSSEC is Incomplete" He complains that DNSSEC doesn't secure the link between the recursive resolver and its client. That's exactly what people are working to fix by running a local validating resolver. "DNSSEC is Unsafe" "Authenticated denial. Offline signers. Secret hostnames. Pick two." OK, then I'll pick authenticated denial and offline signers. Hostnames have never been secret. DNS lookups are unencrypted, so every time you look up a name you tell any snoopers that that name exists. Why would you need secret hostnames anyway? -- Björn Persson
Attachment:
pgp0eB7wf03UQ.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
