[144451] in North American Network Operators' Group
Re: DANE and DNSSEC, was Microsoft deems all DigiNotar
daemon@ATHENA.MIT.EDU (John Levine)
Mon Sep 12 10:47:15 2011
Date: 12 Sep 2011 14:46:03 -0000
From: "John Levine" <johnl@iecc.com>
To: nanog@nanog.org
In-Reply-To: <CAJNn=DNMrGC42i4Q_Wjvz-i9uV_4w1YnfM8vcX4g_wnXLoT=vA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In article <CAJNn=DNMrGC42i4Q_Wjvz-i9uV_4w1YnfM8vcX4g_wnXLoT=vA@mail.gmail.com> you write:
>Except that this just shifts the burden of trust on to DNSSEC, which also
>necessitates a central authority of 'trust'. Unless there's an explicitly
>more secure way of storing DNSSEC private keys, this just moves the bullseye
>from CAs to DNSSEC signers.
It does, but it also limits the damage. If you lose your DNSSEC key,
bad guys can forge names below you in the DNS tree. If you lose your
CA key, bad guys can forge any name they want.
Or to look at it another way, if I put effort into securing my own
DNS, and I am careful about the providers above me in the tree, I can
limit the chance of DNSSEC compromise. With SSL, it doesn't matter
what I do, I'm always at the mercy of the next Diginotar.
R's,
John
