[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Christian Huitema
huitema at huitema.net
Thu Apr 24 15:36:29 EDT 2025
On 4/24/2025 4:43 AM, Michael Kjörling wrote:
> In an ideal world where everything works exactly as intended, having
> DNSSEC (and only DNSSEC) secures the mapping between the host name and
> the ultimate IP address returned by the name service, but does not
> authenticate or secure the established communications channel.
DANE and DNSSEC is about more than IP addresses. People focus on the
name to address function, and yes securing that is just mildly
interesting. Determined attackers can change IP routing using NAT, BGP
hacks, etc. Using the right address is not a 100% protection against
MITM. But DANE uses DNSSEC for more than getting the right address. It
uses the DNS as a database to get the site's certificate, as certified
by the DNS root key, the TLD key certified by the DNS root key, and the
domain's key certified by the TLD key.
That's a tighter chain than PKI. That's certainly a tighter chain than
CA's that check a certificate claim by demonstrating control of a DNS
domain. Unless you use DNSSEC to verify that domain ownership...
-- Christian Huitema
More information about the cryptography
mailing list