I'm considering writing a zine about owning a domain! (DNS! registrars! certificates! TLS! HSTS! MX records!). What questions do you have about domains? Will try to answer as many as I can.
234
159
2,319
Conversation
Replying to
someone might yell at me for saying this but I've never had to learn anything about DNSSEC and I'm not convinced it's in any way useful to learn for most people
3
12
honestly I think we should take DNS seriously, since it's the only protocol that for some reason has no encryption nor any kind of enforcement by default
1
Replying to
the way i think about it is, at least for HTTP, is that if you use HSTS (and HSTS preloading) then nobody will ever access your domain without TLS anyway and so even if an attacker hijacks your DNS they still won't have your TLS keys so the user will be warned
2
1
An attacker controlling your DNS from the perspective of a CA can obtain a valid certificate from Let's Encrypt or another CA. TLS + HSTS preloading with WebPKI does NOT secure against this.
An attacker NOT controlling your DNS but able to MITM CA verification can also do it.
1
5
With Let's Encrypt as an example, the most common authentication method is confirming domain control via unencrypted HTTP connections to the domain.
Let's Encrypt does validate DNSSEC but if you allow them in your CAA record, they'll issue certificates based on unencrypted HTTP.
If every CA checked DNSSEC, then disallowing any CA from issuing certificates via CAA would protect against this. However, it's not clear how you would renew your certificates. Not every CA enforces DNSSEC though. Some don't do mandatory CAA checks either (see recent CA scandal).
1
2
WebPKI security model protects against DNS hijacking targeted at clients visiting a site. It doesn't protect against it when those clients are CAs. MITM of either DNS, HTTP or SMTP between the domain and the CA results in being able to get a valid certificate. You can try it.
6