Comment by indolering

6 hours ago

It's great to see the free, cryptographically secure, and distributed keyval database that under-grids the entire internet being used to make it more secure. It's too bad lazy sys admins claim that it's not needed and spout a bunch of FUD [1] that is not true [2].

[1]: https://sockpuppet.org/blog/2015/01/15/against-dnssec/ [2]: https://easydns.com/blog/2015/08/06/for-dnssec/

37 comments

indolering

Reply
tptacek  6 hours ago

I haven't been a "sysadmin" since 1996.

  • indolering  5 hours ago

    You haven't been a web developer since you posted that article either, since you won't retract silly arguments on your website:

    "Government Controlled PKI!"

    - Governments own the domains, you just rent them. They can kick your site off and validate their HTTPS certs regardless of DNSSEC.

    "Weak Crypto!"

    - 1K key sizes were fine given the threat model required cracking one in a year. They have since been increased.

    "DNSSEC Doesn’t Protect Against MITM Attacks"

    - DNSSEC protects against MITM attacks!

    - It's just that most clients don't perform local validation due to low adoption.

    - In reality, you are just making the circular argument to NOT adopt DNSSEC because adoption is low.

    - There are LOTS more MITM opportunities with HTTPS. We spent a massive effort on cert transparency, yet even Cloudflare missed a rouge cert being issued.

    "There are Better Alternatives to DNSSEC"

    - There is no alternative to signing domain name data and you point to crypto systems that do something other than that.

    - "There are better alternatives to HTTPS: E2E JS crypto with trust on first use"

    - What about SSH? I guess we are doomed to run everything over HTTPS and pay dumb cert authorities for the privilege of doing so.

    "Bloats record sizes"

    - ECC sigs can be sent in a single packet.

    - Caching makes first connect latency irrelevant.

    On and on and on. These are trivially refutable but you just shut the conversation down and point out instances of downtime ... as if DNS doesn't cause a lot of downtime anyaway.

    • some_furry  5 hours ago

      > "Bloats record sizes"

      > - ECC sigs can be sent in a single packet.

      It's 2026. If you're deploying a cryptosystem and not considering post-quantum in your analysis, you'd best have a damn good reason.

      ECC signs might be small, but the world will be moving to ML-DSA-44 in the near future. That needs to be in your calculus.

      16 replies →

    • thunderfork  4 hours ago

      >It's just that most clients don't perform local validation due to low adoption.

      From your link elsewhere, https://easydns.com/blog/2015/08/06/for-dnssec/

      >We might see a day when HTTPS key pinning and the preload list is implemented across all major browsers, but we will never see these protections applied in a uniform fashion across all major runtime environments (Node.js, Java, .NET, etc.)[...]

      Is this not the same flaw?

      2 replies →