DANE and DNSSEC, was Microsoft deems all DigiNotar

John Levine johnl at iecc.com
Mon Sep 12 14:46:03 UTC 2011

In article <CAJNn=DNMrGC42i4Q_Wjvz-i9uV_4w1YnfM8vcX4g_wnXLoT=vA at mail.gmail.com> you write:
>Except that this just shifts the burden of trust on to DNSSEC, which also
>necessitates a central authority of 'trust'.  Unless there's an explicitly
>more secure way of storing DNSSEC private keys, this just moves the bullseye
>from CAs to DNSSEC signers.

It does, but it also limits the damage.  If you lose your DNSSEC key,
bad guys can forge names below you in the DNS tree.  If you lose your
CA key, bad guys can forge any name they want.

Or to look at it another way, if I put effort into securing my own
DNS, and I am careful about the providers above me in the tree, I can
limit the chance of DNSSEC compromise.  With SSL, it doesn't matter
what I do, I'm always at the mercy of the next Diginotar.


More information about the NANOG mailing list