[Discuss] free SSL certs from the EFF
Matthew Gillen
me at mattgillen.net
Wed Dec 3 16:08:56 EST 2014
On 12/03/2014 11:20 AM, Richard Pieri wrote:
> On 12/3/2014 10:52 AM, Derek Atkins wrote:
>> Actually, it was designed to protect against that. I sat in the
>> IETF meetings where that was explicitly discussed. If an intermediary
>> strips the DNSSEC records out then a resolver expecting DNSSEC will
>> force a validation error.
>
> Which results in a denial of service for clients if DNSSEC is enforced.
> That's not protecting users; that's dumping them into black holes.
I think that comment misses the point. DoS is typically an acceptable
response to man-in-the-middle attacks; it is worse to make me think I
have a secure connection to GMail than it is to just refuse connection
entirely. Likewise, I would rather have DNS not work at all than have
it hijacked (because the hijacker is almost certainly going to redirect
me away from where I'm wanting to go anyway).
I started the discussion about DNSSEC because I was saying you could use
that, along with some special TXT entry in your domain's zone to have a
verifiable way to identify who an /appropriate/ CA for a given domain is
(and thereby not have to throw away all of the X509 system).
There are two potential flaws, one that I identified, and one that R.
Pieri brought up (which I think but I'm not sure that Derek refuted).
The first flaw is DNSSEC to end clients. There are two solutions to this:
1) run a caching name server locally and only use that (easy)
2) have application specific hooks to do the appropriate lookups (for
instance, this firefox extension, while out of maintenance, seemed to do
sort of what I wanted:
https://addons.mozilla.org/en-US/firefox/addon/extended-dnssec-validator/ ;
also worth noting is that this plugin seemed to require some auxillary
software installed, but that may have been just because DNSSEC stuff
wasn't built-in to libdns at the time)
The second issue was that DNSSEC has a built-in way to MITM it, where an
intermediary could strip out the info that indicated that a given domain
had DNSSEC records (the claim was this was forced for compatibility). I
think Derek refuted that, and I have to believe that
what Richard claimed would defeat the whole purpose of DNSSEC.
Matt
More information about the Discuss
mailing list