[Cryptography] DNSSEC = completely unnecessary?

Joe St Sauver joe at oregon.uoregon.edu
Mon Nov 4 11:17:30 EST 2013


Greg commented:

#In all my readings on it I kept walking away thinking that I understood
#its purpose, but I'd then come back at myself with the same question:
#what does it give us over HTTPS?

Consider the IETF DANE work. Currently it is hypothetically possible for 
any globally trusted CA to issue an SSL/TLS cert for any given domain. 

If you do DNSSEC, you now have a framework that will allow you to 
definitively assert that the cert for your domain should be *this* one 
and not some other one. I consider that to be a worthwhile improvement, 
in and of itself.

#Cache poisoning isn't a serious threat if SSL/TLS is working correctly. 

1) Not all network traffic (whether web or otherwise) is secured with 
SSL/TLS, on the other most network traffic does employ/rely on DNS.

2) I'd also note that some operationally critical bits and pieces get 
shared via DNS. For example, if you do SPF, you're making decisions 
about acceptable email sources for a given domain based on information 
published via DNS. It would be terrific if that data was secured against
cache poisoning. Ditto DNS-based blocklist results.

Regards,

Joe


More information about the cryptography mailing list