[Ach] filippo on SSL SMTP encryption

Manuel Kraus ach at lsd.is
Wed Apr 1 09:48:36 CEST 2015

Am 01.04.2015 um 00:18 schrieb Hanno Böck:
> 5) a client resolver that actually checks the signatures
> And here comes the catch: Unless you have all of them in place dnssec
> does nothing. It's trivial to state: It absolutely makes no sense
> to sign anything if nobody checks the signatures.
> The client deployment of dnssec is very close to zero. It's not even
> clear how a dnssec client should work, because the protocol is designed
> to be verified in the resolver. Today's clients don't have resolvers.
> And I don't see anyone actually working on any client deployment of
> dnssec.

It's stunning to see, that a thing I just deployed (somewhat proudly)
seems to be no use at all. :-(

I'm just a server operator, not a crypto geek, so don't mind I ask this:

If you talk about clients, you mean users desktop software, right?
Things like already mentioned webbrowsers, email applications etc. Well,
there are validator add-ons for webbrowsers available, so a small
fraction of users is already able to practically add -some- plausibility
to their connections. That's way to far from general deployment in
common software and is more like a PoC, I agree.

But: Do we forget server-server operations here? Doesn't  DNSSEC at
least helps to add some reliability to such connections? My resolvers
for all my servers do speak DNSSEC and should have those advantages
DNSSEC people are trying to sell. CA is far from perfect. DNSSEC is not
perfect either. But it seems to be all we have right now not to fall in
the abyss almost instantly (yes, I know certificate pinning and other,
but sadly not instantly deployable, approaches). Every additional layer
of authentication -in combination- helps to make it harder for
adversaries to manipulate things, imho.

It's easy to criticize current approaches like DNSSEC and talk about the
flaws they obviously have, but what are the options -right now- ? Which
techniques are available -right now- ?

Shrugging shoulders and leave things as they are seems to be more worse
-in these times-, than to deploy non-perfect techniques.



More information about the Ach mailing list