upvote

points

by hrmtst938372 hours ago |
comments
upvoteby tptacek2 hours ago|
[-]
If an attacker owns a resolver DNSSEC stops mattering too; from the resolver to the stub-resolver, the protocol collapses down to a single "yes we did DNSSEC" bit in the header.

The bigger thing here is DoH, which has very real penetration, and works for zones that don't do anything to opt-in. That's what a good design looks like: it just works without uninvolved people having to do extra stuff.

I think DNSSEC supporters, what few of them are left, are really deep into cope about what transport security is doing to the the rationale for DNSSEC deployment. There's nothing about DoH that makes it complicated to speak it to an authority server. The only reason I can see that we're not going to get that is that multi-perspective kills the value proposition of even doing that much.

reply
upvoteby amluto1 hours ago|
parent|
next
[-]
> There's nothing about DoH that makes it complicated to speak it to an authority server.

There’s a problem with HTTPS, though. HTTPS uses URLs that use WebPKI to tie the URL to the certificate validation algorithm. Which means you need WebPKI certificates, which needs DNS. Chicken, meet egg.

Maybe there could be a new URL scheme that doesn’t need WebPKI. It could be spelled like:

    https_explicit:[key material]//host.name/path
or maybe something slightly crazy and even somewhat backwards compatible if the CA/browser people wouldn’t blow a fuse:

    https://1.2.3.4.ipv4.[key material].explicit_key.net
explicit_key.net would be some appropriate reserved domain, and some neutral party (ICANN?) could actually register it, expose the appropriate A records and, using a trusted and name-constrained intermediate CA, issue actual certificates that allow existing browsers to validate the key material in the domain name.
reply
upvoteby tptacek1 hours ago|
parent|
[-]
I think stuff like this is more than promising; I think it's likely to happen relatively soon.
reply
upvoteby indolering23 minutes ago|
parent|
prev|
[-]
Which is a problem with the OS and browser, not with DNSSEC.
reply
upvoteby tptacek18 minutes ago|
parent|
[-]
Eric Rescorla's post, linked upthread, goes into detail about why "OS's and browsers" can't easily solve this problem without breaking the Internet for materially large fractions of their users. In practice, browsers that care about DNS security just use DoH.
reply