[Standards] dnssec

Matthias Wimmer m at tthias.eu
Thu Mar 29 18:43:15 UTC 2007


Greg Hudson schrieb:
> The attractive thing about DNSSEC-based authentication for s2s is that
> you could tell via a secure channel that the other server is supposed to
> be using strong authentication.  An attacker wouldn't be able to get
> away with saying "sorry, I only support dialback" if there existed DNS
> records for public keys for both communicating servers.

Well I am a fan of DNSsec as well. I had DNSsec records in my amessage 
zones some time ago as well. But I guess it will be easier to get all 
administrators to do TLS+SASL with valid certificates, than to get 
DNSsec widely deployed. :-(

>   1. There is no root deployment of DNSSEC and not much deployment
> anywhere.  This is the real killer.

Indeed. I stopped having DNSsec signed zones because I did not see any 
real benefit as long as I cannot participate in a bigger island of 
trust. (i.e. at least one of my TLDs getting DNSsec secured)

But well at least the Departement of Homeland Security seems to make 
some pressure to get DNSsec implemented in the root zone.

>   2. To my knowledge, there is no standard for using DNSSEC keying
> information to secure an application protocol.  It might not have to be
> a very big standard--you could store self-signed X.509 certs in DNS and
> then use TLS for the heavy lifting--but it's still standards work
> outside the scope of XMPP.

Probably you would not add the certificate, but only a fingerprint of 
it. There are some problems with DNS, when responses get bigger then 512 B.


Matthias



More information about the Standards mailing list