[Discuss] free SSL certs from the EFF
Edward Ned Harvey (blu)
blu at nedharvey.com
Tue Dec 2 09:35:53 EST 2014
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Bill Bogstad
>
> As far as I can tell, the problem with DNSSEC isn't with the
> underlying protocols/processes; it is the chicken and egg deployment
> problem. As Ed Harvey discusses in a different message, not all
> zones are signed. This causes lots of problems.
There are lots of possible ways to solve the problem. A really obvious one would be to create a "secure" DNS service, which is functionally equivalent to regular DNS, except that all query responses must be signed, and that includes signing the "NX_DOMAIN" response, which would then give the client the ability to verifiably determine whether or not a secure response should have existed for a particular query. That is, unless a malicious DNS root server provides maliciously crafted responses.
Another way would be to mandate that all DNS must be secure by some deadline. By brute force and legal intervention, forcibly obsolete insecure DNS.
Another solution would be to simply require all non-DNS communications use SSL/TLS. For example, you don't have to worry about hacked up DNS, if you're using https://blahblah. Because if the DNS response is invalid, your https protocol is going to detect an invalid server cert.
And there are some other possibilities as well.
More information about the Discuss
mailing list