[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029

[Bill Woodcock]

> On Apr 24, 2025, at 00:15, Ron Garret <ron at flownet.com> wrote:
>> On Apr 23, 2025, at 5:17 PM, Bill Woodcock <woody at pch.net> wrote:
>> So I care a lot about DNSSEC, because it’s something I can build a reasonably secure system with
> 
> How?  That's not a rhetorical question, I'm genuinely curious.  I get that secure DNS is better than insecure DNS.  What I don't get is why you think that secure DNS *by itself* is *better* than CA certs.

DNS is just a building-block with which to put together a system that solves a problem.  Generally, the problem is “how do I connect from a device under my control to a server under my control to transfer [email|web pages|files] between them?”

TLS auth and client auth take care of the connection, once the two devices are talking to each other.  But I need to be able to find the server, and that needs to be resilient in the face of load balancing, dynamic response to attacks, etc.  So I need to be able to tell the client what IP address to connect to, and I need to be able to do that in real time, not just depend on the client having a list to try.  I also need to be able to bootstrap the TLS key exchange, and I need that, too, to be resilient in the face of compromised keys and so forth.  DNS / DNSSEC / DANE allow me to do that.  Assuming I use a TLD, the one party that can really screw things up is the party wielding the root-zone ZSK.  But if they want to screw something up, they have to do it publicly, because they only control a portion of the root-zone nameservers, and that’s not the portion that I depend upon.  So, if they want to screw me over, they have to tell me in advance that they want to screw me over, and I have to decide to let them do it.  Because my clients are talking to my recursive resolvers, which are talking to my authoritative server stack.  And I can inject and decide to trust a new root-zone KSK for my own purposes, if I really need to.

But all that falls apart if the software on my client device is willing to trust a CA cert.  I can fix that for (for instance) email, but right now Ladybird is the only web browser that’s going in the right direction.  So whenever I get a new software tool in, my worry is that it’s going to trust CA certs and ignore DANE certs.  I can’t prevent bad CAs from existing, and I can’t know when they’ve issued a new bogus cert.  But with DANE, there’s only one organization that can issue something bogus, and they have to do it publicly, and I can choose to override it.  Which meets my needs.

                                -Bill


Please consider the environment before using AI to process this email.