[Cryptography] DNSSEC = completely unnecessary?

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Tue Nov 5 12:05:01 EST 2013 

 you seem to presume if the channel is secure, the data is protected.
 DNSSEC protects the integrity of the data, regardless of the channel.
 SSL only protects the channel... and we see that only protecting the 
 channel is fraught with peril.

 http://teespring.com/nsassl

/bill


On Sun, Nov 03, 2013 at 11:33:37PM -0500, Greg wrote:
> In all my readings on it I kept walking away thinking that I understood its purpose, but I'd then come back at myself with the same question: what does it give us over HTTPS?
> 
> I kept not being able to answer this question so I searched more, and eventually stumbled across these two comments on an article about DNSSEC:
> 
> http://www.circleid.com/posts/securing_a_domain_ssl_vs_dnssec/#5830
> http://www.circleid.com/posts/securing_a_domain_ssl_vs_dnssec/#5841
> 
> Selected quotes:
> 
> Unfortunately, DNSSEC isn't actually providing additional security against a genuine MITM attack: SSL/TLS is still the weak link in the chain when DNSSEC is used!
> 
> DNSSEC plus SSL/TLS is therefore not defence in depth against general MITM attacks. 
> 
> [..]
> 
> No, that's precisely wrong. Cache poisoning isn't a serious threat if SSL/TLS is working correctly. In the presence of functional SSL/TLS, DNS cache poisoning can only produce a denial of service attack. The scenario we're trying to prevent is, "A thinks he is talking with B, but is actually talking with C." Cache poisoning can give A the address of C instead of B, which is a start, but C can't pass himself off as B unless he compromises the SSL/TLS process.
> 
> SSL/TLS provides end-to-end security. It catches DNS forgery. It catches route hijacking. It catches an arbitrary man in the middle. If SSL/TLS is working, every security compromise that DNSSEC can prevent has already been covered, and then some. 
> 
> 
> What say you list? To me, the DNSSEC thing seems like it might be mostly a waste of a bunch of people's time.
> 
> - Greg
> 
> --
> Please do not email me anything that you are not comfortable also sharing with the NSA.
> 



> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list