[dns-operations] DNSSEC deployment incentives

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jun 18 21:07:12 UTC 2019

On Tue, Jun 18, 2019 at 04:48:16PM -0400, John Levine wrote:

> In article <mailman.150.1560889668.1398.dns-operations at lists.dns-oarc.net> you write:
> >-=-=-=-=-=-
> >-=-=-=-=-=-
> >
> >On 18 Jun 2019, at 21:21, Bill Woodcock wrote:
> >
> >>> Why not get some TLSA records going for that server too Bill, if you're
> >>> using TLS?
> Now we get to ponder which is more broken, DNSSEC (and registrar
> account compromises), or the world of CAs.

Both are of course "imperfect", but in a world with the vast majority
of CA certificates are of the "DV" variety, your certificate is
never more secure than your control of your domain registration.

As attacks get increasingly more sophisticated, the security of
domain registries will have to improve to meet requirements from
security-conscious customers.  The best-practices will continue to

As much as one might not like the DNS single root of trust, the CAs
are ultimately trusting the same root when they issue domain-verified
certificates.  This remains true so long as there's only one DNS
(one Internet) that the DNS subject names in those certificates are

Adding CAs is then largely about outsourcing some elements of key
management, providing helpdesk support for unskilled users, ...,
but does not fundamentally change the fact that we have a single
DNS namespace with authority delegated down from the root zone, and
registrars playing a core security role between the domain owner
and the parent zone registry.

The 2048-bit keys in your SSL cert are at best protected by the
DNSSEC keys from the root down to your domain, or unauthenticated,
vulnerable to MiTM, TOFU when DV certificates are issued for domains
with no DNSSEC.


More information about the dns-operations mailing list