[Ach] opinions on letsencrypt.org?

Aaron Zauner azet at azet.org
Tue Nov 25 23:12:47 CET 2014


Hi Hanno,

Hanno Böck wrote:
> The biggest one: It's based on DNSSEC and DNSSEC is mostly vapoware. I
> keep hearing people that "DNSSEC is coming", but it isn't.
> Hardly any domain has dnssec. But the much bigger part that's virtually
> nonexistent is dnssec client support. And I don't even see how dnssec
> client suport is even supposed to work. At the moment clients don't do
> DNS. They query a dns server provided by someone else (their DLS router
> or their provider).

I absolutely agree and this has been a big issue for me as well; as I've
been telling people for years now that this won't really be a solution
but more of a management burden without clear security improvements.
We've yet to see serious DNSSEC commitment. I also doubt that this is
going to happen anytime soon. Ideally we'd switch to a better protocol.
I have seen the GNUnet people are working on GNS, though I have no idea
how practical their approach really is.

> What's the idea here? Should everyone install a dns resolver locally?
> (I feel this would open up a whole bunch of potential other issues if
> it isn't done right - e.g. if the resolver is open to anyone) Should
> browsers do their own dns resolving? Should we trust our providers to
> get dnssec right?
> I feel the browser solution is the most likely. It's just that nobody
> is implementing that, at least not that I've heared of. I fear people
> will deploy dnssec in a "trust your provider"-way, which would be a
> disaster.

If you go for a browser solution: you've basically got DNSSEC for HTTPS
and that's it. Then there are the usual client-side implementation
security problems and it's up to a couple of people doing BlackHat and
DEFCON talks for IETF to change the protocol again. Brr.

> The other problem I have with DNSSEC is that we move from
> ca-cartel-mess to domain-nic-cartel.

Exactly. The issue with "Nation State Actors" (really: governments in
general) still isn't fixed by design. It's also not a distributed
system, and I tend to really like, and trust, distributed systems over
hierarchical ones (wow, the sentence is almost political by now :)).

> I see some use in DANE for SMTP server-to-server. However EFF has a
> proposal herefore without dnssec (probably because they also know
> dnssec is vapoware), though I haven't looked at it yet. Anyone knows
> that?

Can you refer to any further information on that? Would be of interest.

@dkg: Thanks for the reference! Will look into it since it sounds very
interesting - although I doubt that I'll contribute any time soon. Too
many open projects at the moment & see above.

Aaron


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141125/63c31f9a/attachment.sig>


More information about the Ach mailing list