[Ach] DNSSEC and reference/mention to it

christian mock cm at coretec.at
Mon Feb 3 13:47:11 CET 2014

On Mon, Feb 03, 2014 at 12:14:58PM +0100, Aaron Zauner wrote:

> What's your opinion on DNSSEC and DANE? I think we're running into the
> same issue as with X.509 hierarchical trust structure (a few people,
> most of them based in the US of A holding root keys). This is an issue
> IMHO. Please discuss if we should even think about adding DNSSEC/DANE to
> our paper or write a section suggesting looking into further development
> of distributed trust infrastructure..

Yes, I think we should add it.

While DNSSEC is also a hierarchical trust model, as I understand it it
differs in important ways from the X.509 model:

- a domain name can only ever be signed via one specific path, so when
  one key (except the root) is compromised it only should affect
  subdomains of that key's domain. It also means $EVIL_STATE's
  government-controlled registry cannot simply sign facebook.com's DNS
  records, only *.$EVIL_STATE.

- there's a variety of actors involved which are, to put it nicely,
  critically observing each other; I don't think ICANN could get away
  with doing something bad and observable without a world-wide

Also remember that the mission is to increase spook's cost to
compromise our infrastructure. That is definitely the case when they
need to subvert DNSSEC, while for normal DNS it's practically free.


Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list