I did not think they were *that* closely related. DNSSEC makes sure you're receiving an authentic DNS record, and MTA-STS forces TLS connections in email delivery. So SMTP is safer without the need for DNSSEC. What about all the other protocols?
-
-
Replying to @Scott_Dayman @jedisct1
What other protocols are you thinking about?
1 reply 0 retweets 0 likes -
SSH, NTP, FTP (eek!)…
1 reply 0 retweets 0 likes -
Replying to @Scott_Dayman @jedisct1
SSH doesn’t depend on the DNS for security; in fact, not depending on the DNS is the entire purpose of SSH (it replaces the DNS-dependent r-commands).
3 replies 0 retweets 0 likes -
I'd like to know I'm SSH'ing to the right server. There's a chance the host has an SSHFA record…but that depends on DNSSEC. Isn't the point of DNSSEC to stop MITMing DNS?
3 replies 0 retweets 0 likes -
Replying to @Scott_Dayman @jedisct1
SSH uses key continuity to ensure that you’re not MITM’d; it doesn’t rely on DNS, which, again, is the point of the whole system.
1 reply 0 retweets 0 likes -
I feel like I'm hogging up the thread, and I don't mean to be difficult. But first SSH connection knows nothing about the destination other than hostname, right?
2 replies 0 retweets 0 likes -
Replying to @Scott_Dayman @jedisct1
Yes, which is why you get a fingerprint to verify out-of-band.
2 replies 0 retweets 0 likes -
Replying to @tqbf @Scott_Dayman
SSH fingerprints are the equivalent of PGP trust levels. They’re available, but nobody gives a shit, because they’re too complicated/confusing/time consuming.
2 replies 0 retweets 3 likes -
If only an authenticated out-of-band system was available ... that would be nice if we could store that in DNS along with the ip address!
1 reply 0 retweets 0 likes
(glad nobody said the word “blockchain” yet)
-
-
Blockchain!
1 reply 0 retweets 0 likes -
Godwin point reached.
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.