[Ach] DNSSEC and reference/mention to it

Alexander Wuerstlein arw at cs.fau.de
Mon Feb 3 17:04:42 CET 2014

On 14-02-03 17:00, Julien Vehent <julien at linuxwall.info> wrote:
> On 2014-02-03 06:14, Aaron Zauner wrote:
> >Hi,
> >
> >Browsing through the pull request on GitHub for Kerberos (which is a
> >very good addition to the paper, just waiting for proper refereces to
> >url-items and BibTeX - Then I'm merging this!): I've noticed missing
> >reference to DNSSEC.
> >
> >What's your opinion on DNSSEC and DANE? I think we're running into the
> >same issue as with X.509 hierarchical trust structure (a few people,
> >most of them based in the US of A holding root keys). This is an issue
> >IMHO. Please discuss if we should even think about adding DNSSEC/DANE to
> >our paper or write a section suggesting looking into further development
> >of distributed trust infrastructure..
> >
> >Thanks,
> >Aaron
> There has been a lot of discussions on whether DNSSEC adds security when
> already using TLS at the protocol level. The main argument is that both
> TLS and DNSSEC use a 3rd party trust model, and thus have the same level
> of security. If an attacker can obtain a certificate for example.net, he
> should be capable of obtaining a signed DNS record for example.net.
> The question is then: is DNSSEC worth the effort?

That is a very HTTP-centric view of things which is only valid if there
is nothing else. But redirecting SMTP connections via faked DNS entries
is still a problem even with TLS since SMTP only uses opportunistic
encryption with minimal or no checks. Other protocols may have similar
(albeit similarly stupid) problems, so yes, DNSSEC is worth the effort,
at least until every protocol does TLS properly and always.


Alexander Wuerstlein.

More information about the Ach mailing list