I'm considering writing a zine about owning a domain! (DNS! registrars! certificates! TLS! HSTS! MX records!). What questions do you have about domains? Will try to answer as many as I can.
234
159
2,319
Conversation
Replying to
someone might yell at me for saying this but I've never had to learn anything about DNSSEC and I'm not convinced it's in any way useful to learn for most people
3
12
I would mention it, at least in passing - in the future, DNSSEC is going to be important, and we’ll only get there if we start doing it.
1
2
is that true? I've heard a lot of people say that DNSSEC is going to be important in the future, but I've never seen an explanation I understood for why. It seems like everyone who's really into DNSSEC thinks the CA model for TLS is broken? is that right?
1
1
There have been previous, and likely will be plenty more, vulns discovered in DNS leading to cache poisoning, etc.; false DNS records. These fake records trick users into visiting fake sites, downloading malware, or worse. DNSSEC solves that problem.
1
Replying to
why aren't you satisfied with how TLS/HSTS solves that problem? (genuinely curious!)
1
If an attacker can forge the DNS results returned to a CA, they can obtain a valid certificate for your domain. WebPKI depends on DNS security. There's no DNS security without DNSSEC. However crufty it may be, that's the basis for security on the web and even more so for email.
1
3
Email servers also don't inherently validate based on CAs. Authenticated encryption for email is provided through setting a key or certificate in DNS via a DANE TLSA record. MTS-STS is a weak alternative still depending on DNS security and works like HSTS does without preloading.
CAs aren't actually required to validate DNSSEC and certificates are issued based on showing control of the domain via unauthenticated DNS, HTTP or SMTP. Most CAs hopefully do validate DNSSEC and respect the requirement to validate the CAA record, which helps to mitigate this.
1
2
For example, consider an attacker controlling a router in between your server OR authoritative DNS server and where Let's Encrypt performs validation. That attacker can obtain a valid Let's Encrypt certificate for your domain. They may reroute traffic (BGP is insecure) to do it.
1
2
Show replies