<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<div class="moz-cite-prefix">On 4/27/2025 7:52 AM, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ac45201d-c6e4-dfe8-0efc-7aeb411b8f40@nohats.ca">
<blockquote type="cite">It actually stretches over a much longer
time period, Thomas Ptacek's original
<br>
series of essays, which went into much more detail than the 2015
post, was
<br>
"The Case Against DNSSEC" from 2007, about the same time
attempts were first
<br>
made to deploy it. The APNIC post, incidentally on a blog run
by an
<br>
organisation charged with deploying DNSSEC, that it's
essentially failed, is
<br>
telling: It's solving a problem that most people don't care
about at a cost
<br>
that most people do care about.
<br>
</blockquote>
<br>
Mail has the same thing with MTA-STS being a 30 page workaround
RFC for
<br>
not wanting to use DNSSEC (where a few more RTTs doesn't even
matter)
<br>
</blockquote>
<p>Funny thing about MTA-STS is that it depends on DNS TXT records
to discovery a domain's MTS-STS policy to protect against MITM
attacks.</p>
<p>Attacker in position to do MITM may also be able to control DNS
in the same network which makes the entire exercise futile.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:ac45201d-c6e4-dfe8-0efc-7aeb411b8f40@nohats.ca">People
currently might not "care about" protecting DNS content, but they
<br>
will care once we see more and more attacks on these DNS public
keys and
<br>
tokens causing security issues. Right now, people don't care
because its
<br>
just easier to own people using email attachments. But all this is
still
<br>
technical debt accumulating.
<br>
</blockquote>
<p>Be it DV certs, TLS ECH, MTA-STS, etc. they fundamentally depend
on DNS which is something that many fail to realize.<br>
</p>
<div class="moz-signature">
<p>
Regards,<br>
<b>Shreyas Zare</b><br>
<a href="https://technitium.com/">Technitium</a>
</p>
</div>
<p></p>
</body>
</html>