[fanf2]

CAA is about preventing certificate mis-issuance, which is what happened in this attack. DNSSEC and CAA could have prevented this attack from being performed the way it was, by thwarting the MITM on ACME.

DANE is about changing the way certificates are authenticated. DANE makes it possible to authenticate certificates without getting them issued by a well-known CA. So CAA records are not particularly relevant to DANE. You can use DANE with certificates issued by a CA, which gives you two ways to authenticate the certificate; in this situation CAA secures one path and DANE the other.

I am one of the co-authors of the DANE SRV RFC https://www.rfc-editor.org/rfc/rfc7673 which is what XMPP would use. I don’t follow XMPP development so I don’t know if it has been deployed. I would like it if DANE were more widely used, but it’s not pertinent to this attack.

[hlandau]

Yeah. I used to be 100% in on DANE and against CAs. I'm still 100% for DANE but I now think DANE using existing CAs is the better option in many cases because it means things get CT logged. We don't have a DNSSEC transparency situation right now. OTOH there is one undersung issue with CAs, which is that Let's Encrypt isn't as universally available as people think (see the US embargo list) and that does potentially make access to the internet harder for some.

There are some use cases where DANE is actually winning real victories and is actually more viable than the existing CA infrastructure - site-to-site SMTP, for example.

[fanf2]

Yeah, Viktor Dukhovni has been impressively energetic and persistent at improving the security of email.

[KirillPanov]

I feel like packet size was and continues to be a major obstacle for DNSSEC. Do you know why the DNSSEC/DANE world hasn't simply acknowledged this and switched to requiring ECC?

It is trivial to fit several compressed curve points (i.e. signatures) in a single packet, whereas you can't even fit two RSA signatures in a minimum-safe-to-assume DNS UDP reply packet after accounting for padding and ASN.1 overhead.

I get the feeling that there is some faction that really hates UDP and they sort of hijacked the DNSSEC situation to use as a lever to force people to allow DNS-over-TCP.

That seems to be backfiring, however, and DNSSEC has wound up taking a bullet for the UDP-haters.

Many very-large networks simply can't afford for their DNS traffic to be exposed to TCP's intrusion-detection malleability and slowloris (resource exhaustion) attacks. These networks appear to be simply ignoring the "thou must TCP thine DNS" edict. DNSSEC is not a good enough carrot for them. I think ditching RSA would have been a more pragmatic choice than ditching UDP or skipping DNSSEC.

[fanf2]

Dunno why there are so many foot-draggers failing to deploy better DNSSEC algorithms. I’m grumpy about SHA-1 in particular https://datatracker.ietf.org/doc/html/draft-fanf-dnsop-sha-l...

When I query vjhv.verisign.com I get a response containing four 2048 bit RSA-SHA-2 signatures in 1049 bytes which is well within the EDNS MTU for unfragmented UDP, so I’m not convinced the problem is as bad as you paint it. There have been problems with EDNS trying to use fragmented UDP, but that has been reduced a lot by newer software being more cautious about message size limits for DNS over UDP.

DNS needs TCP even in the absence of DNSSEC, because there are queries you cannot resolve without it. Some operators might convince themselves they can get away without it, but they will probably suffer subtle breakage.

[KirillPanov]

> four 2048 bit RSA-SHA-2 signatures in 1049 bytes which is well within the EDNS MTU for unfragmented UDP

I was referring to the non-EDNS 512-byte limit.

Yes, you get ~2.5 times more with EDNS. Still, four records is not a lot.

> DNS needs TCP even in the absence of DNSSEC, because there are queries you cannot resolve without it.

Theoretically? Perhaps. Some would argue that connectionless DNS is valuable enough that people should not create those resource records. Before DNSSEC that was a working consensus. And with ECC it could be once again.

[tptacek]

That's the opposite of the direction Internet cryptography is going, given hybrid PQC and classical systems.

[KirillPanov]

The bloaty key/signature size is only a problem with the PQ encryption systems.

For signing only there are much more efficient PQ cryptosystems, with signatures around the same size as ECC. If DNSSEC ever adopts PQC it will be one of those systems.

Here are two of the earliest, and easiest to understand. There are much better ones now.

https://en.wikipedia.org/wiki/Lamport_signature#Short_keys_a...

https://en.wikipedia.org/wiki/Merkle_signature_scheme

[tptacek]

Mostly, it's because very few serious engineering organizations deploy DNSSEC at all, so the best practices and tooling support aren't there.

[singpolyma3]

Unfortunately the DANE SRV RFC is kind-of mismatched with how SRV and TLS work in practise. It requires the server to serve a certificate matching its own hostname (the hostname of the SRV target) rather than a certificate matching the expected host (the hostname that the SRV record was on). This is fine and secure if you use only DANE but if you want to use DANE with CA-issued certs it makes it somewhere between hard and impossible.

[fanf2]

Note the owner of a SRV record is a service name not a host name.

There are a few reasons for this oddity: partly so it matches with DANE for MX records, partly to support large scale virtual hosting without reissuing certificates.

You should be able get a cert with subject names covering the server host name(s) and the service name(s).

[crosser]

Why not? You could use "certificate usage" value 1 and (if the implementation does not neglect it) immediately notice that validation by CA disagrees with validation by DNS. That should be good enough, no?