Article <via2nq$4o1$1@tncsrv09.home.tnetconsulting.net>

Deutsch English Français Italiano
<via2nq$4o1$1@tncsrv09.home.tnetconsulting.net>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder9.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.198.18.1.11!not-for-mail
From: Grant Taylor <gtaylor@tnetconsulting.net>
Newsgroups: comp.misc
Subject: Re: [LINK] Calling time on DNSSEC?
Date: Thu, 28 Nov 2024 09:37:30 -0600
Organization: TNet Consulting
Message-ID: <via2nq$4o1$1@tncsrv09.home.tnetconsulting.net>
References: <67464f37@news.ausics.net>
 <vi68n4$k3r$1@tncsrv09.home.tnetconsulting.net>
 <wwva5dlul1r.fsf@LkoBDZeT.terraraq.uk>
 <vi8tkg$8ha$1@tncsrv09.home.tnetconsulting.net>
 <wwva5dj91v4.fsf@LkoBDZeT.terraraq.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 28 Nov 2024 15:37:30 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="198.18.1.11";
	logging-data="4865"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <wwva5dj91v4.fsf@LkoBDZeT.terraraq.uk>
Bytes: 3316
Lines: 58

On 11/28/24 02:52, Richard Kettlewell wrote:
> If you’re writing that then I don’t think you understood my point.

I understood your point.

I disagreed with your point.

> The problem people actually have is exchanging information with 
> websites without anyone else being able to read or modify that data.

I feel the need to reiterate that the Internet is far more than just 
websites or web hosted content.

> DNSSEC on its own obviously can’t solve that.

TLS on it's own can't do that either.

> DNS + TLS does solve it, sufficiently well. (Using TLS to include 
> Internet PKI.)

For some nebulous value of sufficiently well.

The Internet PKI can be -> is an Achilles heal.

> DNSSEC + TLS would also solve it, but why would someone bother with 
> DNSSEC when DNS+TLS is good enough for their needs?

DNS w/o DNSSEC is trusting that someone hasn't modified the data between 
the authoritative source and you the consumer.

DNSSEC cryptographically authenticates the data, thus making it possible 
to validate or detect modification.

Do you trust that your DNS server is giving you validated information? 
Or would you like some proof that what it's giving you is validated?

There are all sorts of ways to modify DNS data in flight between clients 
and authoritative servers.  As previously established, TLS (et al.) by 
its self isn't sufficient.  TLS needs a remote endpoint to communicate 
with.  Name resolution is required to be able to resolve the name you 
want to communicate with to an IP address to connect to.  DNS is the 
biggest and most common way that name resolution happens.  Local hosts 
files are also contenders, but they are way behind DNS.

I like to have my local DNS recursive resolver cryptographically 
validate information whenever possible.

I use DNSSEC protected DNS to host things like TLS certificate public 
keys with DANE and SSH fingerprints and other similar information that 
allows me to function without the PKI.

It comes down to people care if the information they get from DNS is 
cryptographically verifiable or not.  I personally care.  Many people 
don't know and most of them wouldn't care.



-- 
Grant. . . .