[dns-operations] DNSSEC deployment incentives

Shumon Huque shuque at gmail.com
Wed Jun 19 14:33:35 UTC 2019

On Wed, Jun 19, 2019 at 9:01 AM Phillip Hallam-Baker <phill at hallambaker.com>

>> > And BTW: If we count trust roots the way that the EFF did, DNSSEC has a
>> > million trust roots (or however many zones are signed) not one. It was
>> an
>> > utterly bogus comparison.
>> This is in turn a false analogy.
> No, the analogy is exact, The DFN root also constrained the sub-CAs so
> that they could not issue an arbitrary certificate. This was pointed out to
> the EFF, they chose not to correct.

Hi Phil,

Can you provide a pointer to this EFF study?

The study that most people cite is this one by the University of Michigan
from IMC, 2013:


Admittedly, it's a bit dated, and I'm sure CT etc have improved things
some, but this paper does not paint a pretty picture.

They find ~ 1800 distinct CAs including root CAs and sub-CAs issued to
organizations, controlled by 683 distinct organizations. Only a tiny
minority of the sub-CAs actually had a Name Constraints extension, so most
of them were in effect unconstrained in their ability to issue. (Let's
disregard for the time being that the observed Name Constraints were not
marked 'Critical', so were in effect optional for relying party software).

Have the findings in that paper been challenged or debunked? If so, I
haven't seen it. It would be good to re-run this study for 2019.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190619/c8bdc6b5/attachment.html>

More information about the dns-operations mailing list