[Cryptography] DNSSEC = completely unnecessary?

[Tom Ritter]

On 3 November 2013 23:33, Greg <greg at kinostudios.com> wrote:
> In all my readings on it I kept walking away thinking that I understood its
> purpose, but I'd then come back at myself with the same question: what does
> it give us over HTTPS?

DNS does not provide authenticity, DNSSEC does.  Not everything we do
online uses SSL, so while many protocols have some amount of
authenticity built in to them (each flawed in their own way, as
Zooko's Triangle dictates some practical limits) - DNSSEC lets us
bootstrap authenticity for any protocol.  "The person you want to talk
to is [here] and he will use [this key fingerprint]."


> In the presence of functional SSL/TLS, DNS
> cache poisoning can only produce a denial of service attack. The scenario
> we're trying to prevent is, "A thinks he is talking with B, but is actually
> talking with C." Cache poisoning can give A the address of C instead of B,
> which is a start, but C can't pass himself off as B unless he compromises
> the SSL/TLS process.

DNSSEC prevents cache poisoning, when used correctly. And SSL/TLS does
not protect HTTP, which I would venture is a laaaaarge percentage of
web traffic, even when SSL is available.

And if you argue "Well, the HTTP problem can be solved by HSTS" I will
say "Okay, how do you securely communicate HSTS to a host to which the
answers are: 'Hope the user isn't owned the first time', 'Bake
preloaded HSTS into every browser', or 'Securely transmit HSTS
information using some other protocol like DNS."

> What say you list? To me, the DNSSEC thing seems like it might be mostly a
> waste of a bunch of people's time.

It's true as we bolt more and more stuff into HTTP Headers (HSTS,
Public Key Pinning, etc) the value of DNSSEC _for HTTPS_ goes down.
But there is still value there to be gained for other protocols,
nearly all of which bootstrap off DNS.  The other big win for HTTP
we'll see is the ability to use self-signed certificates via DANE,
which relies on DNSSEC.

-tom