[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029

Tom Mitchell mitch at niftyegg.com
Thu Apr 24 03:22:17 EDT 2025 

On Wed, Apr 23, 2025 at 2:20 PM Nico Williams <nico at cryptonector.com> wrote:

> On Wed, Apr 23, 2025 at 12:28:41PM -0700, Jon Callas wrote:
> > > What are the downsides to DNSSEC? Both honest and real, and imagined
> > > or excuses.
> >
> > If you haven't read Tom Ptacek's "Against DNS"
> > <https://sockpuppet.org/blog/2015/01/15/against-dnssec/>, you should.
> > While not every one of his comments are things everyone agrees with,
> > the points are all well-argued.

.....

> complaint about DNSSEC.
> Looking at Thomas' arguments:
>
>  - "DNSSEC is Unnecessary"
>
...

>  - "DNSSEC is a Government-Controlled PKI"
>
..

>  - "DNSSEC is Cryptographically Weak"
>
..

>  - "DNSSEC is Expensive To Adopt"
>
..

>  - "DNSSEC is Expensive To Deploy"
>
..

>  - "DNSSEC is Incomplete"
>
...

>  - "DNSSEC is Unsafe"
>

It seems the problem of expiring a cert is fragile and the
"solution" is to make the system even more fragile.

What if commerce and government sites needed a pair of certificates that
expire out
of phase with each other.  Today I can allow an unsigned side "http" to
connect or
demand only "https".  A pair of lookups  requires funny business at two
locations.

Another is to add a layer to always check for expiration or revocation.

Another is to add a browser data class "retain X,Y,Z" and verify against
new.

On the surface, expiration at 47 days is busy work that will generate false
alarms.
It needs to be LONGER than a corporation sabbatical or school break or
seasonal shut down.

The Chrome tool HTTPS Everywhere  could be extended to always check in
multiple ways
as per merchant and government policy.  i.e. http, https, htpss, https3,,,,,

Bind/DNS could have additional records that can be cached (timer, or never
cached)
The key to improve is to interlock useful andI  modest checks that have
reasonable independence.

Some checks can be expensive but those should be uncommon.



    T o m    M i t c h e l l  (on NiftyEgg[.]com )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250424/750f47e1/attachment.htm>

More information about the cryptography mailing list