[Ach] DNSSEC and reference/mention to it

Julien Vehent julien at linuxwall.info
Mon Feb 3 17:24:32 CET 2014

On 2014-02-03 11:04, Alexander Wuerstlein wrote:
> On 14-02-03 17:00, Julien Vehent <julien at linuxwall.info> wrote:
>> There has been a lot of discussions on whether DNSSEC adds security when
>> already using TLS at the protocol level. The main argument is that both
>> TLS and DNSSEC use a 3rd party trust model, and thus have the same level
>> of security. If an attacker can obtain a certificate for example.net, he
>> should be capable of obtaining a signed DNS record for example.net.
>> The question is then: is DNSSEC worth the effort?
> That is a very HTTP-centric view of things which is only valid if there
> is nothing else. But redirecting SMTP connections via faked DNS entries
> is still a problem even with TLS since SMTP only uses opportunistic
> encryption with minimal or no checks. Other protocols may have similar
> (albeit similarly stupid) problems, so yes, DNSSEC is worth the effort,
> at least until every protocol does TLS properly and always.

HTTP is irrelevant here. The same security concept applies to any protocol
that relies on TLS. What you are discussing can be broken down in 3 
  1. transport protocol is cleartext
  2. transport protocol uses opportunistic encryption (STARTTLS)
  3. transport protocol enforces TLS

I am only challenging the level of security that DNSSEC adds in category 3.

For category 1 and 2, we could argue that the need for transport level
encryption is still there, and not covered by DNSSEC. Thus, does DNSSEC 
a problem that is worth the (significant) effort it takes to deploy it.

Or would that time be better spent enforcing TLS on those services?
(you can tell you smtp client to require STARTTLS, btw)

- Julien

More information about the Ach mailing list