Re: [LINK] Calling time on DNSSEC?

Liste des GroupesRevenir à c misc 
Sujet : Re: [LINK] Calling time on DNSSEC?
De : gtaylor (at) *nospam* tnetconsulting.net (Grant Taylor)
Groupes : comp.misc
Date : 28. Nov 2024, 16:37:30
Autres entêtes
Organisation : TNet Consulting
Message-ID : <via2nq$4o1$1@tncsrv09.home.tnetconsulting.net>
References : 1 2 3 4 5
User-Agent : Mozilla Thunderbird
On 11/28/24 02:52, Richard Kettlewell wrote:
If you’re writing that then I don’t think you understood my point.
I understood your point.
I disagreed with your point.

The problem people actually have is exchanging information with websites without anyone else being able to read or modify that data.
I feel the need to reiterate that the Internet is far more than just websites or web hosted content.

DNSSEC on its own obviously can’t solve that.
TLS on it's own can't do that either.

DNS + TLS does solve it, sufficiently well. (Using TLS to include Internet PKI.)
For some nebulous value of sufficiently well.
The Internet PKI can be -> is an Achilles heal.

DNSSEC + TLS would also solve it, but why would someone bother with DNSSEC when DNS+TLS is good enough for their needs?
DNS w/o DNSSEC is trusting that someone hasn't modified the data between the authoritative source and you the consumer.
DNSSEC cryptographically authenticates the data, thus making it possible to validate or detect modification.
Do you trust that your DNS server is giving you validated information? Or would you like some proof that what it's giving you is validated?
There are all sorts of ways to modify DNS data in flight between clients and authoritative servers.  As previously established, TLS (et al.) by its self isn't sufficient.  TLS needs a remote endpoint to communicate with.  Name resolution is required to be able to resolve the name you want to communicate with to an IP address to connect to.  DNS is the biggest and most common way that name resolution happens.  Local hosts files are also contenders, but they are way behind DNS.
I like to have my local DNS recursive resolver cryptographically validate information whenever possible.
I use DNSSEC protected DNS to host things like TLS certificate public keys with DANE and SSH fingerprints and other similar information that allows me to function without the PKI.
It comes down to people care if the information they get from DNS is cryptographically verifiable or not.  I personally care.  Many people don't know and most of them wouldn't care.
--
Grant. . . .

Date Sujet#  Auteur
27 Nov 24 * [LINK] Calling time on DNSSEC?19Computer Nerd Kev
27 Nov 24 +* Re: [LINK] Calling time on DNSSEC?17Grant Taylor
27 Nov 24 i`* Re: [LINK] Calling time on DNSSEC?16Richard Kettlewell
28 Nov 24 i `* Re: [LINK] Calling time on DNSSEC?15Grant Taylor
28 Nov 24 i  `* Re: [LINK] Calling time on DNSSEC?14Richard Kettlewell
28 Nov 24 i   +* Re: [LINK] Calling time on DNSSEC?2Grant Taylor
29 Nov 24 i   i`- Re: [LINK] Calling time on DNSSEC?1Richard Kettlewell
3 Dec 24 i   `* Re: [LINK] Calling time on DNSSEC?11Lawrence D'Oliveiro
4 Dec 24 i    `* Re: [LINK] Calling time on DNSSEC?10Grant Taylor
4 Dec 24 i     +* Re: [LINK] Calling time on DNSSEC?7Lawrence D'Oliveiro
4 Dec 24 i     i`* Re: [LINK] Calling time on DNSSEC?6Grant Taylor
4 Dec 24 i     i `* Re: [LINK] Calling time on DNSSEC?5Lawrence D'Oliveiro
5 Dec 24 i     i  `* Re: [LINK] Calling time on DNSSEC?4Grant Taylor
5 Dec 24 i     i   +* Re: [LINK] Calling time on DNSSEC?2Lawrence D'Oliveiro
5 Dec 24 i     i   i`- Re: [LINK] Calling time on DNSSEC?1Grant Taylor
5 Dec 24 i     i   `- Re: [LINK] Calling time on DNSSEC?1Richard Kettlewell
4 Dec 24 i     `* Re: [LINK] Calling time on DNSSEC?2Richard Kettlewell
5 Dec 24 i      `- Re: [LINK] Calling time on DNSSEC?1Grant Taylor
27 Nov 24 `- Re: [LINK] Calling time on DNSSEC?1Marco Moock

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal