[Cryptography] In defense of DNSSEC was :Preliminary review of the other Applied Cryptography

Guido Witmond guido at witmond.nl
Thu Apr 10 05:30:27 EDT 2014 

On 04/09/14 21:46, tpb-crypto at laposte.net wrote:
>> Message du 09/04/14 18:33
>> De : "Joachim Strömbergson" 
>>
>> Sandy Harris wrote:
>>> However, if your main interest is how to build secure systems, I'd 
>>> put Anderson's "Security Engineering" at the top of the list: 
>>> https://www.cl.cam.ac.uk/~rja14/book.html
>>
>> https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf
>> And he really doesn't like DNSSEC.
>>
> 
> Most of us can relate with that, the "SEC" in DNSSEC is kind of misleading to put it mildly. Of "SEC", DNSSEC has nothing. People were expecting some form of encryption to the standard when it was first announced and after a so long wait it came out still working in plaintext and worse, forcing people to expose their infrastructure to use it. What is the SEC in that really? SECurely allowing yourself to be snooped and spoofed? SECure to whom?
> 
> Maybe some lover of this standard can come forward to its defense.

I'll climb on my soap box.

DNSSEC, as prof. Gutmann describes breaks the current expectations that
DNS works, even in the presence of errors, misconfigurations etc. The
goal of DNS has been that whatever happens, the end user must get
connected to a site, whether it's the bank, or the phisher.

DNSSEC protects against DNS-tampering at the price of
a) a lot of complexity, and
b) hard errors. Fail fast is a feature, not a bug.

That is a steep price.

*The killer app for DNSSEC is DANE*

DANE is DNSSEC Authenticated Naming of Entities. It lets a site owner
publish their server certificate or root certificate in DNS.

This solves the *DigiNotar*-problem! For the first time in history,
browsers can validate *which* is the expected certificate of a site.

DANE specifies the *expectations*, the browser with help of global
certificate registries, such as Perspectives, Certificate Patrol verify
the actual observed certificates, raising an alarm if the expected
certificate is not found.

To me, that's worth the price of learning how to deal with DNSSEC and
it's complexity. Something best outsourced to a competent dns-registry.
(Don't go for the bottom of the barrel, but hey, that's your choice).

With regards,

DNSSEC+DANE lover, Guido Witmond.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140410/d4653b5c/attachment.pgp>

More information about the cryptography mailing list