[147988] in cryptography@c2.net mail archive
Re: [Cryptography] DNSSEC = completely unnecessary?
daemon@ATHENA.MIT.EDU (Joe St Sauver)
Mon Nov 4 12:28:42 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 4 Nov 2013 08:17:30 -0800 (PST)
From: "Joe St Sauver" <joe@oregon.uoregon.edu>
To: greg@kinostudios.com
X-VMS-To: SMTP%"greg@kinostudios.com"
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Greg commented:
#In all my readings on it I kept walking away thinking that I understood
#its purpose, but I'd then come back at myself with the same question:
#what does it give us over HTTPS?
Consider the IETF DANE work. Currently it is hypothetically possible for
any globally trusted CA to issue an SSL/TLS cert for any given domain.
If you do DNSSEC, you now have a framework that will allow you to
definitively assert that the cert for your domain should be *this* one
and not some other one. I consider that to be a worthwhile improvement,
in and of itself.
#Cache poisoning isn't a serious threat if SSL/TLS is working correctly.
1) Not all network traffic (whether web or otherwise) is secured with
SSL/TLS, on the other most network traffic does employ/rely on DNS.
2) I'd also note that some operationally critical bits and pieces get
shared via DNS. For example, if you do SPF, you're making decisions
about acceptable email sources for a given domain based on information
published via DNS. It would be terrific if that data was secured against
cache poisoning. Ditto DNS-based blocklist results.
Regards,
Joe
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography