Hacker News new | past | comments | ask | show | jobs | submit login

I used to be a DNSSEC fan. Moxie changed my mind with one phrase:

"I don't trust the players." He turned out to be justified in that assessment. The players you have to trust are not only the government that runs your TLD, but the registrars who are now your security lynchpins.

The main upside of DNSSEC is you only have to trust your parents, while in something like the CA system today you basically have to trust every CA in the system. (As well as your registrar and email provider as long as domain validated certs are just as trusted as every other cert.)

The other upside is that the system is designed for caching. NSEC exists so you can safely cache NX records. This leads to a lot of crappy design choices, but also the worlds most scalable, distributed key value store that would become much more trustworthy with DNSSEC. This is great in theory, but doesn't solve any practical problems we have in the real world right now.

Public key pinning is a much better next step than DNSSEC is. It gives us the ability to only trust one registrar who we hopefully choose with security in mind.

I will quibble with a few of your points. NSEC3 is not your only option, you can use RFC 4470 minimal NSEC records with your key online if you wish. DNSSEC provides options out the wazoo, a function of design by committee over many years. This is also true of signature and cipher algorithms, where the situation is improving over time as agility is built into the system. They may provide some reasons to hate the situation right now, but eminently fixable.

Also, people might not understand that root key signing keys (long lived keys like we're used to in TLS) are currently 2048 bit RSA, and zone signing keys that are rapidly rolled over (~90 days) are 1024 bit RSA. This means the strength needed to resist attack is much reduced from the key lengths/validity periods people are used to thinking about.




We're in the middle of a 4 year streak of findings stemming from archaic 1990s constructions embedded in TLS, from BEAST to CRIME to Lucky 13 to RC4 to POODLE.

It is unconscionable that the IETF would consider deploying a protocol whose modal deployment configuration will be PKCS1v15 RSA.

The I-D's with ECC options don't matter, any more than they mattered for the last 5 years with TLS 1.2. The protocol isn't even fucking deployed yet --- what we have today are pilot deployments. How could they possibly be fielding PKCS1v15 RSA in 2014?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: