Recent searches
Search options
@pixelcode@social.tchncs.deI don't fully understand #DNSSEC criticism yet: A major argument against it is that it's a “government-controlled PKI” and that, for example, “Gaddafi would have controlled bit.ly’s TLS keys if it had been deployed earlier”.
But isn't that a strawman? If a bad actor controls DNSSEC, they control all the other #DNS records too, i.e. the government can always point domains wherever they like and obtain valid #TLS certificates. The Taliban closed down queer.af completely without DNSSEC.
#DNSSEC and #DANE should not replace the established #TLS certificate authority system, because it would undermine end-to-end encryption between client and server, but I do believe that DNSSEC/DANE serve a legitimate role: preventing #DNS spoofing by third parties, i.e. proving that a DNS record really comes from the correct name server.
And in order to keep DNS requests private, DoH/DoT/DoQ should be the default.
@pixelcode All that doesn't matter, because you have Chinese and American Root CAs on your device.
@pixelcode I don't get it. How can the government control anything of the root CA is not under that government?
@sr3 What I was trying to say is that, if a government controls a domain (because of its TLD, probably), they can create, modify and remove DNS records for that domain as they please (including, but not limited to, DNSSEC). That means they can point the domain to a gov't-controlled server which can then legitimately obtain a valid TLS certificate from any established CA.
Therefore, DNSSEC is not the root cause of the issue that is criticised, in my opinion. Correct me if I'm wrong, though.
@pixelcode ah, got it. Fully agree. Case and point .su (soviet union) shouldn't exist anymore but the Russia department responsible for that does not let it die.
Changing DNS technologies would not change any of that.
@pixelcode the only argument I've heard that I understand is the lack of visible for SOC, but that's only for organizations.
And even those could have a DNS server for requests from within the network and log these requests.
@pixelcode The "is a government-controlled" argument is often a turtles all the way down sort of argument. It may be a straw man. I think purest form of the argument is essentially advocating for less centralization, particularly when you don't like or trust a specific coordinating body.
This is a very popular argument in cryptocurrency community for example. However, this view tends towards anarchy over accountability, and this itself poses it's own set of problems.
There is a reasonable appeal when you call for less government interference. Especially under certain regimes. However, in my view, this argument, and all arguments like it by themselves are often too simplistic in the face of complex systems such as the Internet to stand on their own.
@pixelcode The trusted root CA of the government might cause damage…
No the criticism isn't solely that it's government-controlled but that it's a security system highly centralized down to a bunch of people with highly critical key material. Any accidental issue leads to the whole system being invalid, this has happened before (the keys can't be rolled out because they can't open a safe https://www.theregister.com/2020/02/13/iana_dnssec_ksk_delay/) and will happen again. When the entirety of a security design goes back to one single point of failure, the design is bad. Especially when it only targets a subset of the issue
Even TLS CAs are less bad. I can probably name 3 of them, and trust fewer than that, but the sheer number of them makes it so that accidents are more distributed (although Let's encrypt massively re-centralizes this, and this needs to be solved)