On Sun, Feb 14, 2016 at 8:56 PM, Martin Thomson <[email protected]> wrote: > On 14 February 2016 at 11:40, Phillip Hallam-Baker > <[email protected]> wrote: >> HPKP in DNS can be rolled out today. > > > Maybe I'm just dim today, but doesn't that suffer from the same > problem as TLSA? HPKP in HTTPS relies on HTTPS providing integrity. > Don't you need DNSSEC to get the same result for DNS?
You only need authentication if you are going to store the information for longer than the DNS TTL or use it in place of an authenticated key pin. Otherwise, a false D-HPKP signal is just a Denial of Service vector which is already trivial for someone who controls DNS. Obviously there is an advantage to deployment of DNSSEC, as follows: 1) For browser providers as a means of improving D-HPKP security policy once there is an established base for D-HPKP. 2) Once there is a deployment of DNSSEC in a browser, there is an incentive for sites with D-HPKP to deploy DNSSEC. DANE requires both sides to anticipate support by the other. It is a deployment deadlock. There is no advantage to deployment by sites without support in the browser. The browser providers have stated they don't see the point of DNSSEC to secure A/AAAA records (and they are right). TLSA deployment is negligible, less than 1000 domains and 7-13% of those are wrong. https://www.isi.edu/~johnh/PAPERS/Zhu15a.pdf The other deployment pathology that DANE suffers from is that the companies that help most enterprises manage their DNS records are DNS registrars. These companies typically have a business model of selling the DNS record at or below cost and making the difference up with value added services, chiefly SSL certificates. Now without laboring the point, just how did you expect to deploy a new protocol when you were openly boasting about how it was going to eliminate the principal source of revenue for the party you need support from? This was an experiment. It has failed. Now if you really want to solve the problem, how about people let me have a go at doing it the way I suggested in the first place. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
