[Discuss] free SSL certs from the EFF

[me at mattgillen.net (Matthew Gillen)]

On 12/03/2014 11:20 AM, Richard Pieri wrote:
> On 12/3/2014 10:52 AM, Derek Atkins wrote:
>> Actually, it was designed to protect against that.  I sat in the
>> IETF meetings where that was explicitly discussed.  If an intermediary
>> strips the DNSSEC records out then a resolver expecting DNSSEC will
>> force a validation error.
>
> Which results in a denial of service for clients if DNSSEC is enforced.
> That's not protecting users; that's dumping them into black holes.

I think that comment misses the point.  DoS is typically an acceptable 
response to man-in-the-middle attacks; it is worse to make me think I 
have a secure connection to GMail than it is to just refuse connection 
entirely.  Likewise, I would rather have DNS not work at all than have 
it hijacked (because the hijacker is almost certainly going to redirect 
me away from where I'm wanting to go anyway).

I started the discussion about DNSSEC because I was saying you could use 
that, along with some special TXT entry in your domain's zone to have a 
verifiable way to identify who an /appropriate/ CA for a given domain is 
(and thereby not have to throw away all of the X509 system).

There are two potential flaws, one that I identified, and one that R. 
Pieri brought up (which I think but I'm not sure that Derek refuted).

The first flaw is DNSSEC to end clients.  There are two solutions to this:
  1) run a caching name server locally and only use that (easy)
  2) have application specific hooks to do the appropriate lookups (for 
instance, this firefox extension, while out of maintenance, seemed to do 
sort of what I wanted: 
https://addons.mozilla.org/en-US/firefox/addon/extended-dnssec-validator/ ; 
also worth noting is that this plugin seemed to require some auxillary 
software installed, but that may have been just because DNSSEC stuff 
wasn't built-in to libdns at the time)

The second issue was that DNSSEC has a built-in way to MITM it, where an 
intermediary could strip out the info that indicated that a given domain 
had DNSSEC records (the claim was this was forced for compatibility).  I 
think Derek refuted that, and I have to believe that
what Richard claimed would defeat the whole purpose of DNSSEC.

Matt