[Ach] filippo on SSL SMTP encryption
Aaron Zauner
azet at azet.org
Tue Mar 31 20:35:13 CEST 2015
L. Aaron Kaplan wrote:
> Even though I heard some critical voices on dnssec, I do believe we should cover it in our guide...
>
Mh. Filippo get's paid to work on DNSSEC. I'm sure he sees some value in
it. I don't. And a lot of crypto / network security people do not.
For the usual bash on DNSSEC see:
http://sockpuppet.org/blog/2015/01/15/against-dnssec/
http://sockpuppet.org/stuff/dnssec-qa.html
https://www.imperialviolet.org/2015/01/17/notdane.html
http://cr.yp.to/talks/2009.08.10/slides.pdf
Here're some points that don't usually come up when people talk about
why they do not like DNSSEC:
While I agree that the only possible use case that somewhat makes sense
for DANE is SMTP/mail. But I think that we should not build on a
protocol that does not work, has not worked for the last 15 years and
will never be properly deployed. E-mail as we use it today has so many
problems, in my opinion we'd rather need a new set of protocols to bury
SMTP than ever changing standards that try to fix mail somehow.
While Windows and Mac OS X will gladly resolve DNSSEC, Linux does not,
and there isn't really a solution nor consensus on that either (see
https://fedoraproject.org/wiki/Networking/NameResolution/ADDRCONFIG).
Sure we can let our ISPs resolve these for us. But then we're shifting
trust to our ISP. DNSSEC does not give us any advantage over the CA
system we hate so much. We're now shifting trust from a few auditable
(Certificate Transparency, HPKP, TACK) authorities to all the government
owned and generic TLD in the world. I'll gladly go into that in more
detail if anyone can explain to me what happens if .ly or .cn act
maliciously. CAs are usually companies that can end up in bankruptcy
(see DigiNotar). For Government owned TLD -- and even for gTLDs -- I
don't really see any way to punish them if they misbehave. Take the TLD
offline? Won't work.
But then again, it doesn't really matter because DNSSEC doesn't work
either way. One of the biggest customer -- by policy -- is the US
government. They're mandated to use DNSSEC. They're on top of the list
of DNSSEC outages. While average DNSSEC outage lasts about 8 days
(http://ianix.com/pub/dnssec-outages.html) the US Goverment has usual
outages of more than 6 months.
This protocol has such a bright future that in 15 years since the first
talk about standardization it has been under constant change, is still
changing (people are talking about NSEC5 right now) and it still does
not _fucking_ work.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150331/3b99aaf4/attachment.sig>
More information about the Ach
mailing list