Re: against dnssec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 18 Jan 2015, Kevin Kofler wrote:

This is becoming rather of-topic for DNS. I think they key thing to
remember is that DNSSEC reduces the number of parties that can send
malicious or forged DNS messages from "infinite" to "a few" and where
these "few" are also part of the current "infinite".

Additionally, while Thomas might think that DNSSEC is not happening yet,
the truth is we've past the point of no return. Not supporting DNSSEC
is no longer an option.


Reindl Harald wrote:

in fact DNSSEC is the prerequisite for
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
which has the potential to replace the horrible need of CA signed
certificates for SSL which are in fact *completly* unrelieable because
every random of the thousands entities your browsers trusts can sign any
random domain certificate


The article also addresses (or claims to address) that, claiming that DANE
only moves us from private cartel control to government control, which is
not necessarily an improvement.


It does not move. It gives you a choice to do either, both are a lot
more.

Furthermore, "government control is a simplistic overstatement". For
one, some government is in control of the TLD to begin with. They
can yank your domain or serve it with arbitrary content, regardless
of whether your certificate is validated by CA/PKIX or DNSSEC/DANE.

Second, unless you are going to vouch for every domain you visit
personally, you are going to have to outsource that trust somehow.
What DNSSEC does is reduce the number of players that can make
claims about your TLS certificate/key from 600+ in the PKIX world
to about 5 in the DNSSEC world. Of those 5 entrusted with this trust,
there is a strong incentive not to be caught signing rogue stuff.

Certificate Transparency (CT) (RFC-6962bis) and CT for DNSEC (early
proposal stages) add an "X out of Y" mode to further motivate those
players with private keys in their hands not to get caught handing out
targeted malicious data.

Trusting no one is easy. Picking a few trustworthy parties is hard.

In the last round of "we cannot trust governments for DNS, let's use
the peer to peer dns and use the blockchain", I wrote up:

https://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/

Paul

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux