[Discuss] free SSL certs from the EFF
Derek Atkins
warlord at MIT.EDU
Thu Dec 4 10:35:15 EST 2014
Richard Pieri <richard.pieri at gmail.com> writes:
> On 12/3/2014 10:52 AM, Derek Atkins wrote:
>> Actually, it was designed to protect against that. I sat in the
>> IETF meetings where that was explicitly discussed. If an intermediary
>> strips the DNSSEC records out then a resolver expecting DNSSEC will
>> force a validation error.
>
> Which results in a denial of service for clients if DNSSEC is
> enforced. That's not protecting users; that's dumping them into black
> holes.
Some say DoS, some say protected. If someone is trying to poison my DNS
Cache I'd rather ignore them and blackhole than accept their attack and
go to the wrong place. Besides, DNS allows me to go ask multiple
sources for information.
If I'm expecting a DNSSEC response and don't get it, I know that I need
to go ask somewhere else. That's a FEATURE, not a bug.
If I'm sitting in a hotel room behind a broken middleware box then I
know, for sure, that the middleware is breaking me; I can turn off
validation at that point (or decide never to stay at that hotel again --
or both!)
>> Well, it sort of does, but it's not easy. But this is why they use
>> ZSKs. The Root Zone KSK is mightily protected.
>
> So, too, allegedly, were the keys at DigiNotar.
I have no idea what the DigiNotar security practices were. I *DO* know
exactly what ICANN's practices are (and I even know at least one
key-holder personally).
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Discuss
mailing list