[Discuss] free SSL certs from the EFF

[warlord at MIT.EDU (Derek Atkins)]

Richard Pieri <richard.pieri at gmail.com> writes:

> On 12/3/2014 10:52 AM, Derek Atkins wrote:
>> Actually, it was designed to protect against that.  I sat in the
>> IETF meetings where that was explicitly discussed.  If an intermediary
>> strips the DNSSEC records out then a resolver expecting DNSSEC will
>> force a validation error.
>
> Which results in a denial of service for clients if DNSSEC is
> enforced. That's not protecting users; that's dumping them into black
> holes.

Some say DoS, some say protected.  If someone is trying to poison my DNS
Cache I'd rather ignore them and blackhole than accept their attack and
go to the wrong place.  Besides, DNS allows me to go ask multiple
sources for information.

If I'm expecting a DNSSEC response and don't get it, I know that I need
to go ask somewhere else.  That's a FEATURE, not a bug.

If I'm sitting in a hotel room behind a broken middleware box then I
know, for sure, that the middleware is breaking me; I can turn off
validation at that point (or decide never to stay at that hotel again --
or both!)

>> Well, it sort of does, but it's not easy.  But this is why they use
>> ZSKs.  The Root Zone KSK is mightily protected.
>
> So, too, allegedly, were the keys at DigiNotar.

I have no idea what the DigiNotar security practices were.  I *DO* know
exactly what ICANN's practices are (and I even know at least one
key-holder personally).

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available