[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Shreyas Zare
shreyas at technitium.com
Sun Apr 27 06:57:32 EDT 2025
On 4/27/2025 7:52 AM, Paul Wouters wrote:
>> It actually stretches over a much longer time period, Thomas Ptacek's
>> original
>> series of essays, which went into much more detail than the 2015
>> post, was
>> "The Case Against DNSSEC" from 2007, about the same time attempts
>> were first
>> made to deploy it. The APNIC post, incidentally on a blog run by an
>> organisation charged with deploying DNSSEC, that it's essentially
>> failed, is
>> telling: It's solving a problem that most people don't care about at
>> a cost
>> that most people do care about.
>
> Mail has the same thing with MTA-STS being a 30 page workaround RFC for
> not wanting to use DNSSEC (where a few more RTTs doesn't even matter)
Funny thing about MTA-STS is that it depends on DNS TXT records to
discovery a domain's MTS-STS policy to protect against MITM attacks.
Attacker in position to do MITM may also be able to control DNS in the
same network which makes the entire exercise futile.
> People currently might not "care about" protecting DNS content, but they
> will care once we see more and more attacks on these DNS public keys and
> tokens causing security issues. Right now, people don't care because its
> just easier to own people using email attachments. But all this is still
> technical debt accumulating.
Be it DV certs, TLS ECH, MTA-STS, etc. they fundamentally depend on DNS
which is something that many fail to realize.
Regards,
*Shreyas Zare*
Technitium <https://technitium.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250427/9cba50b2/attachment.htm>
More information about the cryptography
mailing list