[Ach] DNSSEC and reference/mention to it

Julien Vehent julien at linuxwall.info
Mon Feb 3 16:59:43 CET 2014

On 2014-02-03 06:14, Aaron Zauner wrote:
> Hi,
> Browsing through the pull request on GitHub for Kerberos (which is a
> very good addition to the paper, just waiting for proper refereces to
> url-items and BibTeX - Then I'm merging this!): I've noticed missing
> reference to DNSSEC.
> What's your opinion on DNSSEC and DANE? I think we're running into the
> same issue as with X.509 hierarchical trust structure (a few people,
> most of them based in the US of A holding root keys). This is an issue
> IMHO. Please discuss if we should even think about adding DNSSEC/DANE to
> our paper or write a section suggesting looking into further development
> of distributed trust infrastructure..
> Thanks,
> Aaron

There has been a lot of discussions on whether DNSSEC adds security when
already using TLS at the protocol level. The main argument is that both
TLS and DNSSEC use a 3rd party trust model, and thus have the same level
of security. If an attacker can obtain a certificate for example.net, he
should be capable of obtaining a signed DNS record for example.net.

The question is then: is DNSSEC worth the effort?

- Julien

More information about the Ach mailing list