[caskance]

That's the trust that government always requires. Being on the internet doesn't change the fact that the point of government is a monopoly on authorized use of force. They can always just send men with guns to your office, DNSSEC or no.

If you don't trust your government not to abuse their power, that's not a problem that Cloudflare can help you with.

[tptacek]

We're required to trust them for the DNS today. We aren't required to trust them for TLS keys. But DNSSEC/DANE formally and irrevocably gives them that authority.

[caskance]

They already have the ability. Since that can't be revoked, might as well make it transparent and grant them the authority to match it.

It's certainly better than the current CA system.

[tptacek]

I know a lot of people seem to think that, but that's just not right.

You can pin a certificate with X.509 CA TLS, and you can theoretically pin a certificate against DNSSEC/DANE (no browser does and it's unlikely they ever will; browsers flirted with DNSSEC a few years ago and that code has been withdrawn).

But when you pin an X.509 CA cert, you can also punish CAs that issue fraudulent CAs that break pins. This has already happened several times.

When you break a DNSSEC/DANE pin, you have no recourse. Everyone relies on the same .COM keys.

[caskance]

The whole concept of certificates in the first place relies on your ability to keep the private key secret. You know what you really have no recourse to? The police coming when you are asleep and "interrogating" you until you give them access to the key.

[tptacek]

I feel like I'm trying to give you detailed technical answers, and that your responses are mostly about abstractions. I'm not thinking about DNSSEC abstractly. I am concerned with its specifics, which I have studied for a long time and am convinced will harm the Internet.

That's the nicest way I can say that your response to what I just said seems like a non sequitur. I just explained what I meant by recourse. I'm sorry, but I think you're wrong.

[takeda]

You can make your DNS server ignore root certificate and use anchors stored locally for specific TLD.

If then you contact a TLD that's owned by 3rd party you essentially trusting whoever owns that TLD. For example .google is owned by Google, so whatever is under it is under their full control.

[caskance]

One of the flaws about talking with an overloaded term like "security". If even abstractly, something does not work, what's the point of arguing about its technical details?

As you said before, DNSSEC is fine if you concede .com to the US government. This has already happened, we're just putting it in writing.

[hueving]

So you're excuse is that it's insecure but only to the government and you should be okay with systems insecure to the government? That's a sad state affairs if that's where the security community is.

[tptacek]

It's not. The "security community" does not generally support DNSSEC. Most people in the security community don't think about DNSSEC, or DNS security, at all.

DNSSEC is being driven by three forces today:

1. The IETF, which has been working on it for 21+ years and has for the last 10 expressed continuing and increasing frustration that they can't just get the damn thing deployed.

2. The US Government, which is mandating its deployment in some circumstances.

3. CDN services like Cloudflare, who are interested in an Internet where standing up a server presence involves technology so complicated that almost nobody will DIY it. See: what happened with SMTP mail.

[caskance]

The security community is not in any one place.

The only thing even theoretically secure to a government is another government, and reality almost always falls short of that. That has nothing to do with technology, just politics.