[Ach] DNSSEC and reference/mention to it
cm at coretec.at
Mon Feb 3 13:47:11 CET 2014
On Mon, Feb 03, 2014 at 12:14:58PM +0100, Aaron Zauner wrote:
> What's your opinion on DNSSEC and DANE? I think we're running into the
> same issue as with X.509 hierarchical trust structure (a few people,
> most of them based in the US of A holding root keys). This is an issue
> IMHO. Please discuss if we should even think about adding DNSSEC/DANE to
> our paper or write a section suggesting looking into further development
> of distributed trust infrastructure..
Yes, I think we should add it.
While DNSSEC is also a hierarchical trust model, as I understand it it
differs in important ways from the X.509 model:
- a domain name can only ever be signed via one specific path, so when
one key (except the root) is compromised it only should affect
subdomains of that key's domain. It also means $EVIL_STATE's
government-controlled registry cannot simply sign facebook.com's DNS
records, only *.$EVIL_STATE.
- there's a variety of actors involved which are, to put it nicely,
critically observing each other; I don't think ICANN could get away
with doing something bad and observable without a world-wide
Also remember that the mission is to increase spook's cost to
compromise our infrastructure. That is definitely the case when they
need to subvert DNSSEC, while for normal DNS it's practically free.
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
More information about the Ach