[148024] in cryptography@c2.net mail archive
Re: [Cryptography] DNSSEC = completely unnecessary?
daemon@ATHENA.MIT.EDU (Martin Rublik)
Tue Nov 5 12:28:11 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 05 Nov 2013 14:32:14 +0100
From: Martin Rublik <martin.rublik@gmail.com>
To: cryptography@metzdowd.com
In-Reply-To: <52780635.1050709@witmond.nl>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 4. 11. 2013 21:40, Guido Witmond wrote:
>
>>> Second, what seems to be often missing in the discussion is the
>>> consideration of synchronising TLSA records and the certificate-in-use.
>>> I don't subscribe to the view that this is very easy -- if scans of the
>>> HTTPS and SSH ecosystems have shown anything, then it is that poor
>>> deployment practices are to be blamed for a huge part of our problems,
>>> and none of DNSSEC/DANE/CAA solve those.
> Agreed. It's not easy. I hope there will be some parties that will offer
> these services for a modest fee to the site-operator. My DNS-registrar
> already offers managed DNSSEC. They take care of all the key-stuff. And if
> they mess up, there might be others. I have the choice. See it as a market
> opportunity for hosting providers.
>
Actually this might be harder than it looks like. For illustration I recommend
to read:
- Deploying cryptography in Internet-scale systems: A case study on DNSSEC.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.158.1984&rep=rep1&type=pdf
as well as a little outdated but still interesting
- Perils of Transitive Trust in the Domain Name System
http://www.cs.cornell.edu/people/egs/papers/dnssurvey.pdf
Martin
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
