Hacker News new | ask | show | jobs
by indolering 90 days ago
> DNSSEC only protects the name lookup for a host, and TLS/HTTPS protects the entire session.

It only provides privacy, it doesn't verify that the resolver didn't tamper with the record.

>to the point where the root keys for DNSSEC could be posted on Pastebin tonight and almost nobody would have to be paged.

This would very much be a major issue and lots of people would immediately scramble to address it. The root servers are very highly audited and there is an absurd amount of protocol and oversight of the process.
1 comments
tptacek 90 days ago
Who? Outside of DNS providers, which organizations would need an emergency response to the collapse of DNSSEC security? Be specific; name one. If TLS security collapsed, I could pick a company from the Fortune 1000 at random, and they'd have an emergency response going.
link
indolering 90 days ago
If DNS PKI is compromised, so is HTTPS. So yes, they would be scrambling too.
link
tptacek 90 days ago
This is obviously not true.
link
indolering 90 days ago
DNS is where domain name authority is delegated. Anything you build on top of that is also going to be a world of hurt if it gets compromised.
link
akerl_ 90 days ago
So why are we not constantly seeing real world compromises of major sites that don't use DNSSEC?
link
gzread 90 days ago
Here's one: https://notes.valdikss.org.ru/jabber.ru-mitm/
link
tptacek 90 days ago
You're doing a jazz-hands thing here where you equate a breach in DNSSEC (which virtually nobody uses), to a new susceptibility in the ordinary DNS (which everybody uses), such that an attacker could spoof arbitrary DNS lookups to arbitrary CAs. Obviously the two things aren't comparable.

When you make arguments like this, or the weird SSH argument you're making across the thread, or the weird "this would be good for Wikileaks" thing you did elsewhere, you clarify how tenuous your argument is. Remember, you're in the position of arguing that 95%+ of large site operators are wrong about this, and have been for decades, and you're the one who's right. That can definitely happen! But it's an extraordinary claim and your evidence thus far is pretty terrible.

link