[Cryptography] Doing DNS properly Re: Apple's iCloud+ "VPN"

[Donald Eastlake]

On Mon, Jun 28, 2021 at 3:07 PM Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> On Mon, Jun 28, 2021 at 4:19 AM Bill Woodcock <woody at pch.net> wrote:
>> > On Jun 26, 2021, at 8:17 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>> > Attempts to revise the DNS system have invariably fallen foul of second system syndrome. DNSSEC is a half baked attempt to turn the DNS into a PKI that has since been adopted as a solution to DNS insecurity
>>
>> There’s a lot wrapped up in there, but I generally agree.  DNSSEC is over-complicated and over-fragile, too arcane, and needlessly reinvents the wheel.  Yet it is better than nothing, and it’s what we wound up with.  Notably, I’m not an apologist with respect to RPKI, so I don’t just roll over and accept whatever half-assed thing makes it through the standardization compromise process.  I do very much think DNSSEC is better than nothing, and have put my money where my mouth is for more than twenty years.
>
> My problem is that DNSSEC was rolled out as the solution to the Kaminsky vulnerability in place of fixing the DNS protocol to add TSIG to every communication. A solution that has a major deployment footprint should not block simpler solutions that could have served everyone

DNSSEC and TSIG are orthogonal. DNSSEC authenticates DNS data, or the
non-existence of that data, based on the authority of the zone owner.
TSIG authenticates DNS messages based on the authority of a DNS server
you have chosen to trust (usually via a shared secret key). They work
quite well together. If you don't want to do DNSSEC yourself and trust
some server to do it for you, just negotiate TSIG to securely delegate
the DNSSEC processing to that server. I don't see how DNSSEC "block"s
TSIG.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3 at gmail.com