[dns-operations] FYI: SAC057 - SSAC Advisory on Internal Name Certificates
Phil Regnauld
regnauld at nsrc.org
Sat Mar 16 11:00:40 UTC 2013
Vernon Schryver (vjs) writes:
>
> spend it on things with at least a little real world security
> implications such as DNSSEC and eventually DANE.
+1
Or, even more to the point for this list: on securing DNS operations in
general.
DNSSEC isn't much help if your registr[ar|y] is a straw hut. I don't
like the false sense of security given by "deploy DNSSEC at any cost".
I subtext that "How to turn your reliable DNS into a ticking timebomb".
> Don't waste time lobbying ICANN, but do urge browser vendors to
> start using TLSA records.
Browser vendors are doing their think, slowly.
> It might be extreme and it's certainly unitentially offensive, but
> a case can be made that no one writing from a domain without RRSIGs
> on its MX and A RRs should say anything in public about network
> security other than to ask about DNSSEC.
Again, it's a big picture thing. Defense in layers, etc. Just signing
ain't enough.
Cheers,
Phil, off to teach DNS operations :)
More information about the dns-operations
mailing list