Conversation

DNSSEC apologists on HN, fair warning: I am probably never going to stop beating you over the head with this data point.

Quote Tweet

Colm MacCárthaigh

@colmmacc

Feb 16

Unless I'm mis-reading the domain history, this domain was (and is) DNSSEC signed and that did not prevent the takeover. The attackers move is to hi-jack the HTTP endpoints instead of DNS servers, get the cert through HTTP upload verification, and then MiTM. twitter.com/spazef0rze/sta…

Show this thread

Replying to

CAA and accounturi do exist: datatracker.ietf.org/doc/html/rfc86 Let's Encrypt has accounturi enforcement for their staging infrastructure. It's deployed for all the grapheneos.org domains. WebPKI CAs still aren't strictly required to enforce DNSSEC for CAA verification though.

Replying to

and

I don't see how it's an argument against DNSSEC. WebPKI certificate issuance could be based on DNS as a root of trust, but instead doesn't have one. Google never removed pinning for their domains in Chrome as they promised after CT because (possible) detection isn't prevention.

Replying to

It’s not the argument against DNSSEC, apart from further evidence that “it just doesn’t do anything useful”. The arguments against DNSSEC are much stronger than “it doesn’t work”.

Replying to

They weren't using DNSSEC to secure WebPKI issuance via CAA / accounturi. They weren't using it to secure connections from their wallet. DNSSEC provides a way to use DNS as a root of trust but if you don't actually use that for anything then it's not doing you any good.

Replying to

and

There's plenty of meaningful usage of DNSSEC: DKIM + DMARC, SSHFP, DANE for email. No clue if any CA has deployed accounturi/validationmethods in production. Can't really work unless CAs are required to verify DNSSEC for checking CAA and doesn't reduce trust in them of course.

9:21 PM · Feb 16, 2022Twitter Web App

Likes