| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by toast0 3877 days ago

DNS is already a a distributed chain of trust. I trust that the well know ftp site will give me a good hints file to get to the root servers. I trust that the root servers will provide me with the proper ns and glue records for the tld servers. I trust that the tld servers will provide the correct ns and glue records for the domain I want to resolve. DNSSEC just formalizes the trust with digital signatures.

A traditional CA validates empirically that a customer controls a domain at some point in time. DNSSEC is a stronger validation of control of the domain, because it's a property of the domain itself.

Trusting the domain registry to indicate who controls a domain makes a lot more sense to me than trusting a third party. If I can't trust the DS records, I can't trust the NS records either.

A DS record doesn't indicate a connection between an organization and a domain though, which a traditional CA supposedly might.

1 comments

deathanatos 3877 days ago

> A DS record doesn't indicate a connection between an organization and a domain though, which a traditional CA supposedly might.

Only if you get an EV certificate, no? My understanding is that the only checks required for getting a normal certificate issued is to verify that the person holding the key that you're signing is in control of the domain. (Verified through methods such as setting particular DNS records, proving control of the email on the WHOIS data, or setting up an HTTP server at a particular DNS address.)

Then again, most sites just use a basic cert, so perhaps DNSSEC provides most of what is needed.

toast0 3877 days ago

Some of the certificates I've purchased have involved verifying some details of the organization, even though they weren't EV. I believe we needed a Dun and Bradstreet number when I got a certificate from Thawte in the late 90s (although I might be misremembering, something at that company needed that number...). And a more recent issuance wanted some other proof of existence / location, they had asked for a lease/utility bill, but issued with our location found in a state corporation database, before I could get a copy of something they would accept. I won't disclose the issuer of the recent cert, but I would put them in the top tier of reputation (and prices).

I would hope an EV process would do a better verification, but I've never needed an EV cert, so I don't know.

DNSSEC is sort of like verifying to everyone that you control the DNS, near the time of use, as opposed to just verifying to a CA at time of issuance. Or in other words, if it's OK for a CA to trust DNS, letting everyone else trust it would be good too.

At least the concept is right, 1024-bit rsa keys are kind of scary. And DNSSEC doesn't address confidentiality, but TLS with SNI also leaks hostnames.