[Ach] filippo on SSL SMTP encryption

Hanno Böck hanno at hboeck.de
Wed Apr 1 00:18:23 CEST 2015

On Tue, 31 Mar 2015 16:21:25 +0200
"L. Aaron Kaplan" <kaplan at cert.at> wrote:

> Even though I heard some critical voices on dnssec, I do believe we
> should cover it in our guide...

In the past month I turned from someone who was asking his domain
broker for dnssec support to someone who profoundly thinks dnssec is
just a bad idea.

Many things have been said about dnssec problems, but I think the
biggest one is complexity and too many pieces.

Think about it: To have dnssec to something useful you need:
1) a signed root zone
2) a signed tld
3) a domain broker that supports a mechanism to send your dnssec keys
to the tld operator
4) a dns server operator that supports dnssec
5) a client resolver that actually checks the signatures
And here comes the catch: Unless you have all of them in place dnssec
does nothing. It's trivial to state: It absolutely makes no sense
to sign anything if nobody checks the signatures.

The client deployment of dnssec is very close to zero. It's not even
clear how a dnssec client should work, because the protocol is designed
to be verified in the resolver. Today's clients don't have resolvers.
And I don't see anyone actually working on any client deployment of

While there are problems in dnssec that are fixable (bad crypto,
reflection etc.) (but apparently aren't fixed right now by most people
operating dnssec), this one is huge: It's not something you can just
switch on. Depending on who you are you need a supporting
infrastructure and you need to rely on other people doing things so you
can start deploying dnssec in the first place.

Compare this huge complexity with a protocol like HPKP: It only
requires changes at two places - the browser and the server. And on the
server you don't even need a software change, it's just a configuration
issue. That's something you can actually deploy.
Adding an HPKP header to your domain requires some organization
management for your keys, but it will actually provide you additional
real protection for very little costs. Deploying dnssec is a huge
task with no gain whatsoever.

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150401/8dddaddb/attachment.sig>

More information about the Ach mailing list