Local DNSSEC validation is running on every DANE-emabled SMTP server. There are thousands of domains doing it, e.g. on the https://mailinabox.email personal email appliance. Cisco will shortly roll out DANE support (with local validation) in their ESA product...
-
-
Replying to @VDukhovni @mdhardeman
... but that's not where the users are. It can still be trivially spoofed between the mail server and the user, and it can often still be forged with a bit of effort even to the SMTP server.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
DANE is being used today to secure traffic between (some) SMTP MTAs. DNSSEC is not used between the user and the MSA or IMAP server. That's where WebPKI is used at present. Both are presently well suited to their respective roles. I am not hating your use-case, stop hating mine
1 reply 0 retweets 0 likes -
Replying to @VDukhovni @mdhardeman
DNSSEC isn't suited to its role. It doesn't actually work, and it causes outages. Of course I hate that. There's no room for "agree to disagree"; "secure" as a verb doesn't apply to something that uses SHA1.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
DNSSEC does not rely on collision resistance, only 2nd-preimage resistance. There are no preimage attacks on SHA1, and none expected any time soon. Lots of domains use SHA258 (alg 8). You don't understand rfc7435. Your absolutist posture is harmful.
1 reply 0 retweets 0 likes -
Replying to @VDukhovni @mdhardeman
Nope - DNSSEC is harmful. Don't use it, and please don't mislead users otherwise, it's not responsible! I'm persisting here as your zealous style can give the impression that there are two sides, but there aren't. Hopefully it's noticeable that you don't rebut the points I make.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
Frankly, you don't make any points worth rebutting. Just absolutist pronouncements based on no evidence. Anyway it is clear that you're holding on to your "all or nothing" (i.e. often nothing) security posture. Many of us have figured out why that's a bad idea and moved on.
1 reply 0 retweets 0 likes -
Replying to @VDukhovni @mdhardeman
Plenty of evidence for DNSSEC outages, plenty of evidence that DNSSEC does not in fact work, plenty of evidence of DNSSEC in DDOS attacks. Not end-to-end, broken crypto, downgrades, awful trust model, no end-user signaling. Don't use DNSSEC.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
It is end-to-end as used for app security in DANE or to defend a resolver cache against poisoning. Yes, if you're using quad 8/9 you don't get MiTM protection, but you're not using DNSSEC the resolver operator is, (surprise!) non-users are not protected. The algs are good enough
1 reply 0 retweets 0 likes -
Replying to @VDukhovni @mdhardeman
It's end to end in neither case. Users aren't resolver caches or SMTP servers. This is "Well I locked the side door, so if the attacker goes there, we're good. Never mind the open front door" 'security'.2 replies 0 retweets 0 likes
Oh, also the lock is cheap plastic in this metaphor.
-
-
Replying to @colmmacc @mdhardeman
DANE is used to authenticate TLS connections that encrypt email transport between domains. DNSSEC secures the TLSA RRs end-to-end from target to sender domain. E2E email encryption is unusable, but hop by hop TLS is effective against bulk surveillance. No plastic
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.