[sarciszewski]

I'm just trying to understand this attack that you implied.

[tptacek]

Yes: assume one of the thousands of CAs you trust has been compromised by NSA.

[sarciszewski]

Okay, so this is what happens:

1. Evil NSA compromises CA in BFE

2. Evil NSA subverts DNSSEC for COM to publish a bad CA certificate

3. Some combination of Google Certificate Transparency + HPKP discovers this, the CA in BFE gets removed from browsers

If your point is "DNSSEC is pointless", OK. But it sounds like you're saying it makes us less secure. I'm just trying to figure out how that could even be.

[rajivm]

I'm not sure why your question is being side-stepped, I also had the same wonder. It seems from reading though that the reason this is a problem is CAs are not involved at all in the DANE/TLS scenario. Instead, the X.509 cert. stored in DNS is trusted for TLS purposes simply because it is DNSSEC signed rather than CA issued. However, it seems at this time, no mainstream browser actually supports this natively (some have released plugins).

What I (and you) seem to have assumed was that this was DNS based certificate pinning, which to me would have made a lot of sense.

[sarciszewski]

> Instead, the X.509 cert. stored in DNS is trusted for TLS purposes simply because it is DNSSEC signed rather than CA issued.

And I would see that as a huge mistake. Requiring two layers of verification (DNSSEC + separate CA) is what had I assumed DNSSEC would do.

Would that stop the NSA? Probably not, but the person who broke DigiNotar wasn't exactly NSA.

[tptacek]

I feel like I can't answer this without repeating this post:

http://sockpuppet.org/blog/2015/01/15/against-dnssec/

... or its FAQ.