[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

Shreyas Zare shreyas at technitium.com
Fri Apr 25 09:15:29 EDT 2025 

On 4/25/2025 5:29 PM, Christian de Larrinaga wrote:
> Shreyas Zare<shreyas at technitium.com> writes:
>
>> On 4/25/2025 3:36 PM, Christian de Larrinaga wrote:
>>> Shreyas Zare via cryptography<cryptography at metzdowd.com> writes:
>>>>> *That* is what certificates protect against.  DNSSEC will not help
>>>>> you at all because as long as you are connected to my hot spot, I
>>>>> control the entire Internet from your point of view, not just DNS.
>>>> DNSSEC will help protect with DANE. Controlling a hot spot does not
>>>> make it vulnerable.
>>>>
>>>> Its about time web browsers add support for DANE as an alternative
>>>> option for people who want to use it.
>>>>
>>>> Regards,
>>>> *Shreyas Zare*
>>> DNSSEC signing a zone to the root is needed first?
>> Yes, that's the prerequisite to have the zone signed. Which is much
>> easier to do with some DNS providers which give you an ON/OFF switch
>> to sign your zone.
> if DANE is totally dependent on DNSSEC being correctly implemented that
> is a significant barrier.

These things are automated and the zone admin does not have to manually 
do most of the things anymore. It does require some learning to be done 
by the admins similar to how they needed to learn to get and deploy SSL 
certs. Its not much different and easily doable. Its even better once 
deployed since there is no concept of "expiry" like with SSL certs and 
user can define how frequent they wish to do a key rollover.


> In regards validating self signed certs in DANE how does the service and
> also a user of a service that has implemented DNSSEC and DANE for a zone
> distinguish if both the DNS delegation is signed and operating correctly
> and the service self signed cert is authentic and can be "trusted"?

DANE uses TLSA DNS resource record which contains the hash of the SSL 
cert so that the client can match it with the cert the server returned 
during TLS handshake to validate it. Application that support DANE would 
need to use a DNS library that does DNSSEC validation to fetch TLSA 
record. If the TLSA record is returned without any validation errors, it 
can be used to validate the server's SSL cert. The library just needs to 
know the root zone's public key hashes (root anchors [1]) and it would 
validate all delegations using it automatically.

Regards,
*Shreyas Zare*
Technitium <https://technitium.com/>

[1] https://data.iana.org/root-anchors/root-anchors.xml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250425/7e5cb63d/attachment.htm>

More information about the cryptography mailing list