Hacker News new | past | comments | ask | show | jobs | submit login

No. You have to trust all the CAs, and the governments that control the DNS.

https://www.imperialviolet.org/2015/01/17/notdane.html




> No. You have to trust all the CAs, and the governments that control the DNS.

Not in DNSSEC. .xxx need only trust dnsroot. yyy.xxx need only trust .yyy and dnsroot.

firefox/chrome/etc with support from important orgs with high value names (google.com/bankofamerica.com/etc) would then make sure that dnsroot/.com/etc do not abuse the trust. They have incentive and methods of punishment. There is no legal authority that clients need to map DNS . to existing root keys. A client can map a.b.c to any key it wants.

The risk of gov overreach is same for both tls and DNSSEC. DNSSEC just trusts fewer entities. The only people who benefit from current system, are CAs who are getting $$$ for nothing.

> https://www.imperialviolet.org/2015/01/17/notdane.html

This is orthogonal. Weak Keys are not required or implied characterstic of DNSSEC.


If browsers start mapping cert trust to something besides the DNS roots... it’s not DNSSEC, it’s something else entirely, it’s “our current system, maybe with some slight tweaks”


I am not suggesting every client do their own mapping, that is not a naming system at all. There has to be very large consenus for a naming system to be effective. I just pointed that out to show that dns is not under any gov control. Its under a control of an entity that can be punished.

However who gets to have dnsroot is just a value of a config in DNSSEC. The value itself should not be used to criticize DNSSEC cause its changeable.


How do you punish .com if they misbehave? Move every site off .com?


No. You just map .com to another key with an agreement that new .com owner pre signs and map existing .com subs the right way. An unaware xxx.com does not need to do anything. As long as its done publically with a bang and enough consensus, disruption should be minimal.

Again this is unavoidable in any system that need trust. Thats why I like PoW DNS.


Who is "you"? The people we're afraid of manipulating .COM control the DNS. Google can't "map .com to another key". Their option would be to leave .COM; that is the gun DNSSEC would give to the USG to hold against Google's head.


You is firefox/chrome/etc. Yes you can. The ownership of .com is not as exclusive/protected as .xxx or xxx.com. Thus the firefox/chrome/etc can map it to anyone they feel. Considering so many high value .com subnames, .com can be transferred to neutral party or even dnsroot. USG do not own ".com" string. No one does. Just like ".".


Your claim here is that a browser vendor could somehow fork the DNS and use its own .COM? Explain how that could possibly work.


Anyone can fork DNS. Its just a (name, key) map. As long as its done with enough consensus, it can be done. Mismanagement of .com is serious enough to demand that kind of change.

Lets say .com gets mismanaged. Community is infurious. firefox/chrome/etc demands that . remap .com to new more trustable entity. If . does not. firefox/chrome/etc then remap . to new more trustable entity, because .com must be as trustable as ., because .com is that important. New . give back ownership of all tlds to their previous owners. Except for .com. .com goes to the more trustable entity as intended. New .com then does again similar import of all good xxx.com.

In this whole incident, no one loses the ownership of their names except for .com and possibly . .

Now no gov can touch *.com. Though its different for cctld. Those are owned by their respective govs. Same goes for gtld. But no one gets to mess with . .com .org .net.


It sounds like what you’re proposing is for browser vendors to, in unison, overthrow IANA and the related organizations and stage a coup where they start running their own DNS root authority. And then claiming that this would happen without impact to end users / owners-of-individual-domains.


Browser vendors (specifically all DNS users) have the option. They can do it, if IANA fails at the job of being a dnsroot. Disruption is inversely proportional to consensus. If everyone do it, there is no disruption. Some disruption is unavoidable. Its fair price to pay for stable and solid global naming system.

Ultimately its about deciding who gets to own "x.y.z" string brand globally/contextlessly. World obviously need a single naming system. Either that or expect to have multiple owners to "google.com".

My suggestions are required otherwise why would someone build a global brand if ownership is not safe or guarnteed enough. Future is way more chaotic. Without crypto, a global naming system is not going to survive.


OK. I don't think we have to debate this any more. We can just leave it here: you think DNSSEC is a workable solution to our problems as long as the browsers can, if they ever need to, create their own alternate DNS for the web.


The linked article is about why you can’t simply trust the DNS roots, even if you were naive enough to want to.


If you can’t trust them then the whole thing crumbles anyway.

All you need to obtain valid TLS certs for any domain is to make a CA think you control the domain. So the CA’s trust in the DNS root is already functioning as the basis of X.509.


You manifestly can't trust them today, couldn't yesterday, or for the last 30 years, despite the rise of e-commerce and the gradual shift of all applications to the web with its domain-validated WebPKI. Google doesn't DNSSEC sign. Facebook doesn't DNSSEC sign. No major bank I've found DNSSEC signs. AT&T doesn't DNSSEC sign, nor does Verizon. Some part of Comcast does, or did, and the net effect was that DNSSEC errors broke HBO NOW on launch day for Comcast users (and only Comcast users).

Tell me more about how the whole thing crumbles away? Because I'm pretty sure I'm typing into a TEXTAREA on the real HN, and not some facsimile a DNS hacker created to fool me. The Internet seems to be working fine without the government-run PKI you're saying we have to have.


That’s not pure DANE being discussed by a hybrid in which CAs are still playing a role.

In pure DANE you need only trust the DNS root.


The whole premise of AGL's article is the fact that you can't have pure DANE. Literally, "a hybrid of DANE and CAs" is just a restatement of the sentence "you have to trust all the CAs and the DNS". You haven't said anything in this comment.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: