<div dir="ltr">So,.. does anybody remember this talk by DJB on DDOS via the DNSSEC protocol: <a href="http://cr.yp.to/talks/2009.08.10/slides.pdf">http://cr.yp.to/talks/2009.08.10/slides.pdf</a><div><br></div><div>I'm not that up-to-date on that, but as far as I know this issue presists, right?</div>
<div><br></div><div>Aaron</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 3, 2014 at 5:24 PM, Julien Vehent <span dir="ltr"><<a href="mailto:julien@linuxwall.info" target="_blank">julien@linuxwall.info</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 2014-02-03 11:04, Alexander Wuerstlein wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
On 14-02-03 17:00, Julien Vehent <<a href="mailto:julien@linuxwall.info" target="_blank">julien@linuxwall.info</a>> wrote:<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
There has been a lot of discussions on whether DNSSEC adds security when<br>
already using TLS at the protocol level. The main argument is that both<br>
TLS and DNSSEC use a 3rd party trust model, and thus have the same level<br>
of security. If an attacker can obtain a certificate for <a href="http://example.net" target="_blank">example.net</a>, he<br>
should be capable of obtaining a signed DNS record for <a href="http://example.net" target="_blank">example.net</a>.<br>
<br>
The question is then: is DNSSEC worth the effort?<br>
</blockquote>
<br>
That is a very HTTP-centric view of things which is only valid if there<br>
is nothing else. But redirecting SMTP connections via faked DNS entries<br>
is still a problem even with TLS since SMTP only uses opportunistic<br>
encryption with minimal or no checks. Other protocols may have similar<br>
(albeit similarly stupid) problems, so yes, DNSSEC is worth the effort,<br>
at least until every protocol does TLS properly and always.<br>
<br>
</div></blockquote>
<br>
HTTP is irrelevant here. The same security concept applies to any protocol<br>
that relies on TLS. What you are discussing can be broken down in 3 categories;<br>
1. transport protocol is cleartext<br>
2. transport protocol uses opportunistic encryption (STARTTLS)<br>
3. transport protocol enforces TLS<br>
<br>
I am only challenging the level of security that DNSSEC adds in category 3.<br>
<br>
For category 1 and 2, we could argue that the need for transport level<br>
encryption is still there, and not covered by DNSSEC. Thus, does DNSSEC solve<br>
a problem that is worth the (significant) effort it takes to deploy it.<br>
<br>
Or would that time be better spent enforcing TLS on those services?<br>
(you can tell you smtp client to require STARTTLS, btw)<span class="HOEnZb"><font color="#888888"><br>
<br>
- Julien</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<u></u>_________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at" target="_blank">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" target="_blank">http://lists.cert.at/cgi-bin/<u></u>mailman/listinfo/ach</a><br>
</div></div></blockquote></div><br></div>