[Cryptography] DNSSEC = completely unnecessary?
Martin Rublik
martin.rublik at gmail.com
Tue Nov 5 08:32:14 EST 2013
On 4. 11. 2013 21:40, Guido Witmond wrote:
>
>>> Second, what seems to be often missing in the discussion is the
>>> consideration of synchronising TLSA records and the certificate-in-use.
>>> I don't subscribe to the view that this is very easy -- if scans of the
>>> HTTPS and SSH ecosystems have shown anything, then it is that poor
>>> deployment practices are to be blamed for a huge part of our problems,
>>> and none of DNSSEC/DANE/CAA solve those.
> Agreed. It's not easy. I hope there will be some parties that will offer
> these services for a modest fee to the site-operator. My DNS-registrar
> already offers managed DNSSEC. They take care of all the key-stuff. And if
> they mess up, there might be others. I have the choice. See it as a market
> opportunity for hosting providers.
>
Actually this might be harder than it looks like. For illustration I recommend
to read:
- Deploying cryptography in Internet-scale systems: A case study on DNSSEC.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.158.1984&rep=rep1&type=pdf
as well as a little outdated but still interesting
- Perils of Transitive Trust in the Domain Name System
http://www.cs.cornell.edu/people/egs/papers/dnssurvey.pdf
Martin
More information about the cryptography
mailing list