On 12/15/2015 11:34 AM, Michael Ströder wrote:
Yes. It's your choice. With DNSSEC I don't have a choice at all. It's a single root key controlled by the entity which was the cause for RFC 7258 (besides the horrible key management practice out in the wild). And frankly I don't trust anybody who is endorsing DNSSEC as the sole solution for all trust problems. We should do better. Ciao, Michael.
Horrible management of TLS certificates has not caused people to abandon TLS.
With the HBO outage (what people usually refer to), DNSSEC was doing exactly what it is suppose to do. What other "horrible" management is there?
Similar configuration mistakes that cause lack of access to TLS sites do not cause people to reject TLS.
The ability to validate DNS results is critical to Internet security, and there is no other system that allows validation that the results from your query are authoritative.
Sure, if an attacker gets a key they can create a fake chain of trust for anything from that key. That exists with TLS too, only with the TLS the problem is worse, lot more signing keys to be compromised and when compromised they can sign a cert for any domain.
Problems like the recent Lenovo or Dell fubar where they put a root cert in the OS trust store can't happen with DNSSEC.
And with DNSSEC, someone can root all of my DNS servers and they still will not be able to create a fraudulent record because the keys are not on them.
It really is a beautiful concept, and I am glad to see it being embraced in the e-mail server world. It is the right solution to the problem, in my opinion.
