On Mon, Jan 19, 2015 at 11:29:42PM +0100, Per Thorsheim wrote: > Thomas Ptacek doesn't like DNSSEC > http://sockpuppet.org/blog/2015/01/15/against-dnssec/ & followup > http://sockpuppet.org/stuff/dnssec-qa.html, and ImperialViolet has some > opinions as well https://www.imperialviolet.org/2015/01/17/notdane.html
Ben Laurie is talking about browsers, and Certificate Transparency is his hobby-horse like DANE for SMTP is mine. I am not at present advocating DANE for browsers, some work remains to be done before that's realistic. Ben is not arguing against DANE for SMTP. As for Thomas Ptacek, I see nothing new or particularly interesting there. Pinning does not solve the "introduction" problem. DNSSEC begins to address it at scale. Pinning also does nothing for SMTP, because the attacker who compromises DNSSEC can just override the MX RRset sending the mail elsewhere, and without DNSSEC SMTP clients are open to STARTTLS downgrade attacks. We can make DANE for SMTP more tamper-evident by logging the matched TLSA RR digest for validated connections, and logging connections that are not validated. Code for that will start appearing in next year's Postfix snapshots. Log analysis can look for statistically significant deviations from "normal" outcomes. If the .com registry is caught misusing its keys to sign fraudulent DS RRs, or return fraudulent answers, that problem will have to be addressed. I don't think they can expect to engage in that activity without risk of detection. No system can secure traffic between strangers without some trusted introducers. > I understand I have lots and lots to read here, but short question is; > how will this eventually impact future deployment of of SMTP security > via opportunistic DANE TLS? Early deployments are moving forward just fine, despite the above objections. The main obstacle is lack of good user guides, and until recently a good testing site. With https://dane.sys4.de in operation, we'll have to focus on a good set of user guides. DANE in its present form is a step in the right direction, not the end of the road. -- Viktor.
