[Discuss] free SSL certs from the EFF

Edward Ned Harvey (blu) blu at nedharvey.com
Tue Dec 2 11:24:16 EST 2014


> From: Derek Atkins [mailto:warlord at MIT.EDU]
> 
> 1) the root zone is signed with a known key, and
> 2) most of the TLDs are signed (in particular .com is definitely signed)

When you first connected to the network, DHCP told you to use some DNS server.  When firefox, or anything else in your OS queries that DNS server to resolve some name, you do not receive the response from the TLD.  You just get a response to your query, and not all the subsequent queries that were necessary in order to resolve your query.  Better yet, your OS itself caches the response, so once again, FF makes some query, and doesn't get a signed response.

This may be a shortcoming of implementation, but if so, that doesn't make it any less relevant, because neither your OS name caching daemon, nor the upstream caching server are doing "the right thing" and the world is a *long* way off from having all the dumb Linksys routers upgraded to the point of DNS security being effectively universally deployed.

These are yet another two possible solutions to the problem - 

Don't use caching DNS servers; every client must query the TLD directly and do all its own resolving.  Or, globally adopt a new standard where the caching DNS server gives your client not only the response you requested, but the entire signed chain...  But these solutions very definitely do not exist as globally universally standard deployed solutions today.

Today, FF queries for www.google.com, and the query is handled by whatever DNS server was doled out to the client via DHCP, and the DNS server response is only going to be the final result of the query, which could have been mangled in transit.



More information about the Discuss mailing list