[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Viktor Dukhovni
cryptography at dukhovni.org
Sat Apr 26 21:19:31 EDT 2025
On Sat, Apr 26, 2025 at 10:00:57AM -0700, Christian Huitema wrote:
> Whether that's an argument for DNSSEC is a bit debatable. Yes, it would be
> nice if the HTTPS record was properly signed, etc. But DoH (or DoT) already
> protects against the "last mile" attacks, so we are left with attacks on the
> name resolution by the DoH server. Also, there is a high correlation between
> the "authoritative DNS" for a domain and the "CDN server" for that domain.
Well, that does not help the user whose DoH server is with a different
provider, say querying Google when the content is on Amazon, Azure,
Cloudflare, Godaddy, ..., OVH, ...
> See for example https://ithi.research.icann.org/graph-m9.html, which shows
> that the most popular DNS servers for big domains are Cloudflare, AWS,
> Google and Akamai. If you are making a DoH connection to Cloudflare and the
> authoritative server for the domain is also Cloudflare, DNSSEC does not
> bring a lot of value...
I eagerly await for the day when Cloudlare is the sole DNS and content
provider for the entire Internet, embracing and extending sri-nic.arpa.
:-)
--
Viktor.
More information about the cryptography
mailing list