Comment by 8organicbits

1 day ago

I would be interested in your take; if you had to distrust the network, how would you protect HTTP, SMTP, DNS, and TLS certs? I suspect your answer isn't DNSSEC, but I'd be interested to hear what you would use instead. The European answer seems to be DNSSEC, considering adoption rates there. (edit: should be "includes" not "be", it's one of the tools they use).

4 comments

8organicbits

Reply
akerl_  1 day ago

We do have to distrust the network, which is partly why TLS cert validation now includes a bunch of mitigations around validation from multiple network positions, certificate transparency logs, etc.

tptacek  1 day ago

DNSSEC adoption on major European properties is also quite low! Try a bunch of domains out (`host -t ds <domain>`). There are more in Europe, of course, but not very many, at least not major ones. My hypothesis, I think strongly supported: the more mature your security team, the more internal pushback against DNSSEC.

  • 8organicbits  1 day ago

    Sure, I'll do some homework for you. I just took the latest Tranco top million list (7N42X) and scanned the top thousand .cz domains. 61% of the top 100 .cz domains have DS records as do 50.6% of the top thousand .cz domains. That matches what others have been reporting and doesn't seem "quite low" to me.

    If you're interested in talking about something other than DNSSEC, I would be interested in your thoughts here.

    • tptacek  1 day ago

      Oh, if the Tranco list is interesting to you, you don't ever have to do any homework again; I continuously do it for you:

      https://dnssecmenot.fly.dev/

      A funny note here: I track changes, and in the last 150 days, there has been one (1) (someone turned DNSSEC off.)