It’s trivial to specify modern signatures for DNSSEC. The trick is getting resolver code deployed.https://twitter.com/jedisct1/status/913127498233384960 …
-
Show this thread
-
My guess is it would take ~10 years of concerted effort to get ed25519 DNSSEC deployed enough to assume most resolver grokked it.
1 reply 2 retweets 3 likesShow this thread -
For 10 years afterwards people would STILL be deploying both RSA and ed25519 out of compat concerns. Ask any TLS impl how I know that.
1 reply 2 retweets 6 likesShow this thread -
Nobody relies on DNSSEC today. You could dump the root privkeys to Pastebin. No site would go down.
1 reply 3 retweets 7 likesShow this thread -
So if you believe we need modern crypto sigs in DNSSEC, the right answer is to STOP DEPLOYING legacy DNSSEC, specify mandatory modern DNSSEC
1 reply 0 retweets 5 likesShow this thread -
Replying to @tqbf
Or, y'know, stop DNSSEC wholesale and focus on DNS privacy.
1 reply 0 retweets 0 likes -
Replying to @CiPHPerCoder @tqbf
I don’t believe in DNS privacy. This is and will remain an illusion no matter what transport protocol you use.
1 reply 0 retweets 1 like -
The DNS server will know what you're sending, but you can at minimum maintain confidentiality against MitMs.
1 reply 0 retweets 0 likes -
Replying to @CiPHPerCoder @tqbf
Legacy protocols will never get secure. Improvements are not widely adopted. See BGP, SMTP.
2 replies 2 retweets 3 likes
Treat DNS as public data, work around it in other protocols.
-
-
Aren't incremental improvements worth something?
1 reply 0 retweets 0 likes -
Incremental improvements means things like STARTTLS which an active attacker can trivially strip.
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.