[kilburn]

> DNSSEC still relays on CAs.

No, DNSSEC has nothing to do with CAs. Each DNS authority defines its own keys used to sign its records.

> They were just renamed to "Trust Anchors".

You are thinking about DANE [1], which is what the a protocol on top of DNSSEC. Using DANE you authorize X.509 certificates and/or CAs for certain domains. This allows you to restrict your domain to a specific well-known CA (such as Verisign), but it also allows you to authorize your own CA or even a specific certificate directly. It even works per-service, so you do not need to use the same CA/certificates for all your services.

If you were suggesting that DANE does not solve the traditional CA issue you are wrong.

[1] http://tools.ietf.org/html/rfc6698

> The trust anchor for .com is Verisign.

Err.. no? I don't even understand what are you trying to say here. The "com" domain does not seem to have any TLSA records...

[agwa]

> No, DNSSEC has nothing to do with CAs

You're interpreting "CA" too literally. DNSSEC doesn't rely on X509 certificate authorities but in effect it relies on an equivalent, in that Verisign is a central authority certifying ownership of all .com domains.

[ynik]

A single trusted root is better than the hundreds of roots in the CA system. I don't trust Verisign very far, but I certainly trust them more than Verisign AND Diginotar AND honest achmed's used cars and certificates AND ...

And shouldn't it be possible to implement certificate pinning for whole tlds? Then we'd only have to trust root for unknown tlds.

[tptacek]

First, you don't get "a single trusted root". If DNSSEC/DANE had been deployed 3 years ago, Qhadaffi's Libyan government would have effectively been the CA for BIT.LY.

Second, and more importantly: the smaller number of trust anchors you end up with in DNSSEC are controlled by world governments.

It seems absurd to me that the Internet's response to the "global passive adversary" of NSA would be to hand the entire PKI system over to the USG formally. That's what DNSSEC does.

[dlitz]

> ...Qhadaffi's Libyan government would have effectively been the CA for BIT.LY.

They already are, in practice. Many reputable CAs will issue certificates to anyone who can forge an MX record for a domain. With or without DNSSEC, TLD operators are capable of forging those records.

>It seems absurd to me that the Internet's response to the "global passive adversary" of NSA would be to hand the entire PKI system over to the USG formally. That's what DNSSEC does.

No, DNSSEC builds authentication into a system that is and has always been centrally controlled. And just like with the X.509 CA system, you can use pinning or Convergence or anything else you want to supplement that.

[tptacek]

You shouldn't start a sentence with "no" when it confirms the sentence it's responding to.

[y0ghur7_xxx]

> No, DNSSEC has nothing to do with CAs. Each DNS authority defines its own keys used to sign its records.

which in turn must be signed by the zone operator (e.g.: Verisign for .com) who publishes them in DNS. So we still have Central Authorities - in the sense that there is still some overlord controlling everything.

[0x0]

>> The trust anchor for .com is Verisign.

>Err.. no? I don't even understand what are you trying to say here. The "com" domain does not seem to have any TLSA records...

Verisign runs the "com." zone, so I guess they would have to admin any DNSSEC/DANE/TLSA stuff.

[kilburn]

They only have to admin the DNSSEC stuff (publish your domain name keys along with your nameservers, as you set them up through your regular domain provider).

The DANE part needs no further support than you being able to use DNSSEC for your domain's DNS. Obviously there is always some entity controling each TLD, and that entity can screw up your domain if it acts improperly.

[tptacek]

You're not following. DNSSEC is secured by a chain of keys leading to a root; the entity that controls the root controls the chain. If you use DNSSEC to authenticate your certificate, you're giving control over your certificate to whoever runs the roots.

[schoen]

That last property is what makes that entity a "trust anchor", and what DANE critics specifically don't like or want to get rid of.

[0x0]

So you will have to trust Verisign not publish a different, compromised, set of domain name keys along with your nameservers.

[vertex-four]

You have to trust them not to do that anyway right now, as they're a CA. You also have to trust any of the >100 other CAs that your system trusts.

[tptacek]

Nobody is suggesting that the naive X.509 scenario we had a year ago is secure. They are, however, skeptical of the idea that we should invest millions of dollars into an architectural change to the core of the Internet to land... right back where we are now.