Conversation

DNSSEC apologists on HN, fair warning: I am probably never going to stop beating you over the head with this data point.

Quote Tweet

Colm MacCárthaigh

@colmmacc

Feb 16

Unless I'm mis-reading the domain history, this domain was (and is) DNSSEC signed and that did not prevent the takeover. The attackers move is to hi-jack the HTTP endpoints instead of DNS servers, get the cert through HTTP upload verification, and then MiTM. twitter.com/spazef0rze/sta…

Show this thread

Replying to

CAA and accounturi do exist: datatracker.ietf.org/doc/html/rfc86 Let's Encrypt has accounturi enforcement for their staging infrastructure. It's deployed for all the grapheneos.org domains. WebPKI CAs still aren't strictly required to enforce DNSSEC for CAA verification though.

Replying to

and

I don't see how it's an argument against DNSSEC. WebPKI certificate issuance could be based on DNS as a root of trust, but instead doesn't have one. Google never removed pinning for their domains in Chrome as they promised after CT because (possible) detection isn't prevention.

9:00 PM · Feb 16, 2022Twitter Web App

Replying to

It’s not the argument against DNSSEC, apart from further evidence that “it just doesn’t do anything useful”. The arguments against DNSSEC are much stronger than “it doesn’t work”.

Replying to

They weren't using DNSSEC to secure WebPKI issuance via CAA / accounturi. They weren't using it to secure connections from their wallet. DNSSEC provides a way to use DNS as a root of trust but if you don't actually use that for anything then it's not doing you any good.

Show replies

Replying to

and

And if DNSSEC became sufficiently pervasive, the ACME "proofs" of domain control could be made considerably stronger. But its taken a while to build DNSSEC adoption momentum, and it is still more often seen in new domains than retrofitted in existing domains. All in good time...