RT @tqbf: Google takes an affirmative step towards finally killing off DNSSEC, deploys MTA-STS. https://security.googleblog.com/2019/04/gmail-making-email-more-secure-with-mta.html …
-
-
I did not think they were *that* closely related. DNSSEC makes sure you're receiving an authentic DNS record, and MTA-STS forces TLS connections in email delivery. So SMTP is safer without the need for DNSSEC. What about all the other protocols?
1 reply 0 retweets 0 likes -
Replying to @Scott_Dayman @jedisct1
What other protocols are you thinking about?
1 reply 0 retweets 0 likes -
SSH, NTP, FTP (eek!)…
1 reply 0 retweets 0 likes -
Replying to @Scott_Dayman @jedisct1
SSH doesn’t depend on the DNS for security; in fact, not depending on the DNS is the entire purpose of SSH (it replaces the DNS-dependent r-commands).
3 replies 0 retweets 0 likes -
I'd like to know I'm SSH'ing to the right server. There's a chance the host has an SSHFA record…but that depends on DNSSEC. Isn't the point of DNSSEC to stop MITMing DNS?
3 replies 0 retweets 0 likes -
Replying to @Scott_Dayman @jedisct1
SSH uses key continuity to ensure that you’re not MITM’d; it doesn’t rely on DNS, which, again, is the point of the whole system.
1 reply 0 retweets 0 likes -
I feel like I'm hogging up the thread, and I don't mean to be difficult. But first SSH connection knows nothing about the destination other than hostname, right?
2 replies 0 retweets 0 likes
The first thing the client will learn after the first round trip is the server public key and its signature, that will be verified using the CA’s public key. No need for DNSSEC here, but you need to deploy the CA’s public key on clients.
-
-
Replying to @jedisct1 @Scott_Dayman
This is what the cool kids do and it’s what you should do if you’re building out SSH for a startup engineering team but in reality like 99.999% of SSH doesn’t use CAs, JFWIW. (I know you know this but just for the benefit of the thread).
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.