[tptacek]

I think it's important that those of you who haven't read up on DNSSEC understand how bad an idea it is:

https://news.ycombinator.com/item?id=10539418

If DNSSEC had been deployed a few years back, Muammar Gadaffi could conceivably controlled BIT.LY's TLS keys. Yesterday, today, and tomorrow, DNSSEC gives the NSA immense control over the TLS keys of sites in .COM, .ORG, .NET, .CO.UK, .IO, .COM.AU, and many more.

[caskance]

That's what it means to have a domain in Libya - you're subject to the jurisdiction of the officially recognized Libyan government. If you don't want to have to deal with the whims of a crazy dictator, don't register your business in his country.

[tptacek]

"DNSSEC: everything will be fine as long as everyone moves to domains in Bouvet Island's .BV. Brought to you by Cloudflare."

[rch]

> The centre of the island is an ice-filled crater of an inactive volcano.

Sounds like a combination of the Fortress of Solitude and SPECTRE's volcano base.

[djcapelis]

.bv is a great TLD choice if you want to give many women visiting your website a subtle negative connotation.

[drzaiusapelord]

and exactly what country is safe from the whims of politics? I was just reading about censorship in the Netherlands and other Euro states because of fear of offending religious people, especially muslims. If the far left Europeans can't protect speech, then who can? DNNSEC just enables centralized government control on a level that's not needed. DNS is fine as-is. Domain authentication should be done via the transport layer like SSL. That's the way things are going now anyway.

[stephenr]

Secure DNS allows a number of nice things that otherwise are a risk, such as trusting server SSH fingerprints without prompting on first use.

[tptacek]

And to get that feature all you have to do is trust that the government that controls your TLD isn't going to fuck you.

Because it's not like the USG would ever tamper with the DNS to further a policy goal, right?

http://gizmodo.com/5936870/doj-seizes-domains-over-app-pirac...

[throwaway2048]

even in the case of existing CA model+key pinning (at least before the key is pinned) you are still trusting the governments controlling the TLDs are not going to fuck you.

Id rather trust a handful of cctld nation states, than the nation states + everybody with access to a CA cert.

Also the idea that dnssec tld keys cannot be rotated is pure FUD, the root key signing keys themseves cannot, but they were extremely careful there.

If tampering is detected, do you really think TLD keys are going to be left alone, and not regenerated and the process extremely closely scrutinized?

[caskance]

That's the trust that government always requires. Being on the internet doesn't change the fact that the point of government is a monopoly on authorized use of force. They can always just send men with guns to your office, DNSSEC or no.

If you don't trust your government not to abuse their power, that's not a problem that Cloudflare can help you with.

[tptacek]

We're required to trust them for the DNS today. We aren't required to trust them for TLS keys. But DNSSEC/DANE formally and irrevocably gives them that authority.

[hueving]

So you're excuse is that it's insecure but only to the government and you should be okay with systems insecure to the government? That's a sad state affairs if that's where the security community is.

[stephenr]

So your entire argument against DNSSEC is that the US Government seized the domains of known "pirated" software distribution sites?

[phicoh]

The nice thing about DNSSEC and the ccTLDs is that you can pick what country you trust. So you can get a domain in a country that is compatible with what you are trying to do.

Of course, with domain validated SSL certificates, you also have to trust DNS completely, because anyone who controls your domain can get a cert for that domain.

[tptacek]

I hear this a lot too and it blows my mind. How is it a nice thing about DNSSEC that your choice of domain names will have a major impact on your security? That seems like a straightforwardly bad thing.

[aianus]

Still sounds like an improvement over the current PKI where any CA can sign any cert for any domain.

How many roots do you have in your browser's trust store? How many of them would roll over and mis-issue certs if presented with a secret warrant in their country of residence? (All of them.)

[tptacek]

No. See:

https://www.imperialviolet.org/2015/01/17/notdane.html

There are 3873497 CAs your browser has to trust today. DANE adds a 3873498th and a 3873499th, and the ones it adds are controlled by NSA.

The solution to the CA problem is to drastically reduce the power CAs have, which is what is happening with key pinning and certificate transparency and whatever follows that.

The solution to the CA problem can't possibly be "create a new super-CA controlled by governments".

[aianus]

How does having a new super-CA controlled by the NSA impede key pinning and certificate transparency?

I agree that CAs + DANE is just as shitty or shitter than CAs.

But:

a) In the event DANE replaced the CA system, one super-CA controlled by the NSA is better than 300 CAs essentially controlled by 50 different governments including the NSA.

b) Nobody's making you use DANE. Signed DNS records are an improvement over the status quo regardless of what you think of tying TLS to it.

[tptacek]

No. (a) is wrong.

The difference between DNSSEC's government-controlled super CA and a normal TLS CA is that when Google spots a normal TLS CA misbehaving because of an alert from a broken pin or CT log, it can shitcan the CA, either evicting it from the trust store or placing onerous restrictions on it. Both of these things have happened and will keep happening.

Google cannot do that to .COM or .IO. If the government-controlled super-CA that runs .COM misbehaves, we have no recourse.

DNSSEC essentially takes the worst feature of the HTTPS trust model and bakes it permanently into the core fabric of the Internet.

[throwaway2048]

reposting a comment:

What do you think would happen under a DNSSEC-DANE TLS world if that started being detected via key pinning/CT ?

There is just no way the NSA is going to risk it except in very very specific circumstances they can easily control, (exactly the same situation as HPKP) because, they too will be forever burned just like an ssl CA would, except now they cant just switch to one of hundreds of other CAs, they have burned the root keys to a tld. This will be obvious, this will be screamed about from the rooftops, the key will be rotated + a ton greater scrutiny applied to the process.

Its not like browsers and other people pinning certs are just going to shrug their shoulders and say "aw shucks, i guess we wont worry about it"

[hueving]

And how exactly do you think rotating a TLD key will help if it's obvious that TLD will just give the new key to the NSA anyway?

[aianus]

> it can shitcan the CA, either evicting it from the trust store or placing onerous restrictions on it

None of which prevents it from happening again with another one of the 300 CAs whenever another government gets antsy.

> If the government-controlled super-CA that runs .COM misbehaves, we have no recourse.

As a westerner I trust the super-CA that runs .COM 1000x more than some random CA in China or Iran or whatever. But even that's beside the point. If they abused their trust (which would be caught by CT) the whole system would collapse because, like you said, you can't shitcan .COM. Everyone would move to keypinning and/or a decentralized blockchain-based DNS solution and we would gain real security.

[tptacek]

One thing I love about DNSSEC threads is that I get to join the anti-NSA faction on HN. Unlike you, I do not trust the giant corporation that controls .COM under charter from the US Government.

The USG has repeatedly abused its trust, often directly with respect to .COM. The Internet has not fled .COM.

The idea that we would deploy a forklift upgrade of a core protocol, at immense expense (look at Cloudflare's own marketing material!), ostensibly to improve security but in reality to put ourselves in the position of "fleeing .COM IF the US Government abuses it trust", boggles my mind.

The problem DNSSEC purports to solve is not cryptographically hard. DNSSEC made it hard because it was designed in 1995, at a time when designers felt it would be implausible for DNS servers to sign records.

We are talking about deploying this fiasco of a protocol with all its compromises purely because of the momentum of a 21+ year long standardization effort. Once we deploy it, any notion of solving the problem correctly dies. That's a terrible, terrible mistake.

[NDizzle]

It reminds me of when I registered r33t.org in the 90s. We couldn't register .com at first because we weren't incorporated.

[sarciszewski]

How does DNSSEC give immense control over TLS keys to sites in those TLDs exactly? I think I'm missing something.

[tptacek]

The motivating use case for DNSSEC is DANE. DANE stores TLS certificates in DNSSEC-signed DNS records. But the top of the DNSSEC tree is --- de jure! --- controlled by governments.

[sarciszewski]

Wouldn't that require a nation state to:

1. Get a signed CA certificate for your domain at gun-point.

2. Send a forged DNSSEC record?

In which case, it's not significantly worse than the current state? And even though we can't burn a TLD, we can burn the CA that signed the certificate in the first place?

Or is there some magic in DANE that subverts CA verification?

[tptacek]

I don't understand your question. If the government can't subvert CAs, DNSSEC is pointless; let's all just rely on the CAs. It can subvert them. Now, what problem is DNSSEC solving?

[sarciszewski]

I'm just trying to understand this attack that you implied.

[tptacek]

Yes: assume one of the thousands of CAs you trust has been compromised by NSA.

[nsgi]

With the current system, they can just seize the domain and get a certificate for it.

[tptacek]

No. Seizing the domain does not help them if millions of browsers have the correct certificate pinned.

Meanwhile: we're all pretty unhappy that the USG does just seize domains. How can it possibly be reasonable for us to support a forklift upgrade of a core protocol that burns that capability permanently and cryptographically into the core of the Internet?

[micro-ram]

Unless you have a short life 90 day cert from LetsEncrypt.org then your pinning doesn't last very long.

[tptacek]

I'm not sure what your argument is. Can you restate it?

[takeda]

How is that worse? You already have US government in your CAs, for example Federal Common Policy CA. At least with DNSSEC only the organization that owns the TLD can issue certificates. With CA system in the browsers a country you might never heard of can issue certificate for google.com (which already happened).

Yes, the danger could be root certificate is managed by a single organization, but this can be easily solved in software of DNS server (for example ignore root and store certificate for every TLD, or implement policy to trust it only for certain TLDs). I would not be surprised if that's already implemented.

Now with ICAAN move (which I personally am not a big fan of) there are TLDs that are owned by private organizations, so it is possible to have entire chain without any government being involved in it.

[hueving]

You don't have to trust the government CAs. A specific CA isn't part of SSL protocol.

[takeda]

But it is an essential part of it and those certificates are provided to you upstream.

Disabling them is discouraged, if you disable them you might start having issues (for example I disabled CA's on my Android phone) then noticed that many of my apps started crashing or had weird issues without providing meaningless messages.

If you disable them chances are that new version of the software will enable them back. You're essentially forced to live with them.