[dns-operations] FYI: SAC057 - SSAC Advisory on Internal Name Certificates

Phil Regnauld regnauld at nsrc.org
Sat Mar 16 11:00:40 UTC 2013

Vernon Schryver (vjs) writes:
> spend it on things with at least a little real world security
> implications such as DNSSEC and eventually DANE.  


	Or, even more to the point for this list: on securing DNS operations in

	DNSSEC isn't much help if your registr[ar|y] is a straw hut. I don't
	like the false sense of security given by "deploy DNSSEC at any cost".
	I subtext that "How to turn your reliable DNS into a ticking timebomb".

> Don't waste time lobbying ICANN, but do urge browser vendors to
> start using TLSA records.

	Browser vendors are doing their think, slowly.

> It might be extreme and it's certainly unitentially offensive, but
> a case can be made that no one writing from a domain without RRSIGs
> on its MX and A RRs should say anything in public about network
> security other than to ask about DNSSEC.

	Again, it's a big picture thing. Defense in layers, etc. Just signing
	ain't enough.

	Phil, off to teach DNS operations :)

More information about the dns-operations mailing list