m at tthias.eu
Thu Mar 29 18:43:15 UTC 2007
Greg Hudson schrieb:
> The attractive thing about DNSSEC-based authentication for s2s is that
> you could tell via a secure channel that the other server is supposed to
> be using strong authentication. An attacker wouldn't be able to get
> away with saying "sorry, I only support dialback" if there existed DNS
> records for public keys for both communicating servers.
Well I am a fan of DNSsec as well. I had DNSsec records in my amessage
zones some time ago as well. But I guess it will be easier to get all
administrators to do TLS+SASL with valid certificates, than to get
DNSsec widely deployed. :-(
> 1. There is no root deployment of DNSSEC and not much deployment
> anywhere. This is the real killer.
Indeed. I stopped having DNSsec signed zones because I did not see any
real benefit as long as I cannot participate in a bigger island of
trust. (i.e. at least one of my TLDs getting DNSsec secured)
But well at least the Departement of Homeland Security seems to make
some pressure to get DNSsec implemented in the root zone.
> 2. To my knowledge, there is no standard for using DNSSEC keying
> information to secure an application protocol. It might not have to be
> a very big standard--you could store self-signed X.509 certs in DNS and
> then use TLS for the heavy lifting--but it's still standards work
> outside the scope of XMPP.
Probably you would not add the certificate, but only a fingerprint of
it. There are some problems with DNS, when responses get bigger then 512 B.
More information about the Standards