[Ach] DNSSEC [was: Re: filippo on SSL SMTP encryption]

Aaron Zauner azet at azet.org
Tue Mar 31 21:41:22 CEST 2015

Hi Daniel,

Daniel Kahn Gillmor wrote:
> NSEC5 is a proposal to provide both non-enumerable zones and
> authenticated denial of existence (NXDOMAIN) responses while retaining
> offline keys for the positive assertions.
> If you're willing to place your zone-signing keys online, you can
> already get non-enumerable zones with authenticated denial of existence.
> And if you're willing to have your zone be enumerable, you can already
> get offline keys with authenticated denial of existence.  so NSEC5 is
> really tuning one little corner use case that is otherwise unhandled.
> I don't think it's worthwhile to critique the protocol as a whole for
> the fact that people are trying to address corner use cases like this (i
> do know some people who want both offline zone-signing keys and
> non-enumerable zones; those people are rare, but as more information
> gets placed into the DNS, non-enumerability and offline ZSKs may become
> more desirable).

I just intended this to be an example of DNSSEC protocol changes. I know
it's only used in corner cases. Also it's only a proposal for now as far
as I know.

> As for moving the verification to the resolver, that's obviously a
> losing prospect, since it just puts your trust in an unreliable remote
> host (and over insecure transport, even, in the common DNS use case!).
> What we need is for resolvers to transfer the entire signing chain to
> the stub so that verification can take place on the local client.

That would make sense, but I don't know of any implementation or any
effort towards this. Do you have more information on that? That would at
least solve the client-side issues. Issues with the trust chain are
still unchanged by that. I've seen a proposal for certificate
transparency with DNSSEC
(https://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00) hasn't got
toom uch attention tough.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150331/995a1440/attachment.sig>

More information about the Ach mailing list