[Ach] DNSSEC and reference/mention to it

Aaron Zauner azet at azet.org
Mon Feb 3 18:02:14 CET 2014


So,.. does anybody remember this talk by DJB on DDOS via the DNSSEC
protocol: http://cr.yp.to/talks/2009.08.10/slides.pdf

I'm not that up-to-date on that, but as far as I know this issue presists,
right?

Aaron


On Mon, Feb 3, 2014 at 5:24 PM, Julien Vehent <julien at linuxwall.info> wrote:

> On 2014-02-03 11:04, Alexander Wuerstlein wrote:
>
>> On 14-02-03 17:00, Julien Vehent <julien at linuxwall.info> wrote:
>>
>>>
>>> There has been a lot of discussions on whether DNSSEC adds security when
>>> already using TLS at the protocol level. The main argument is that both
>>> TLS and DNSSEC use a 3rd party trust model, and thus have the same level
>>> of security. If an attacker can obtain a certificate for example.net, he
>>> should be capable of obtaining a signed DNS record for example.net.
>>>
>>> The question is then: is DNSSEC worth the effort?
>>>
>>
>> That is a very HTTP-centric view of things which is only valid if there
>> is nothing else. But redirecting SMTP connections via faked DNS entries
>> is still a problem even with TLS since SMTP only uses opportunistic
>> encryption with minimal or no checks. Other protocols may have similar
>> (albeit similarly stupid) problems, so yes, DNSSEC is worth the effort,
>> at least until every protocol does TLS properly and always.
>>
>>
> HTTP is irrelevant here. The same security concept applies to any protocol
> that relies on TLS. What you are discussing can be broken down in 3
> categories;
>  1. transport protocol is cleartext
>  2. transport protocol uses opportunistic encryption (STARTTLS)
>  3. transport protocol enforces TLS
>
> I am only challenging the level of security that DNSSEC adds in category 3.
>
> For category 1 and 2, we could argue that the need for transport level
> encryption is still there, and not covered by DNSSEC. Thus, does DNSSEC
> solve
> a problem that is worth the (significant) effort it takes to deploy it.
>
> Or would that time be better spent enforcing TLS on those services?
> (you can tell you smtp client to require STARTTLS, btw)
>
> - Julien
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140203/7266f4f5/attachment.html>


More information about the Ach mailing list