Even if that wasn't the case --- and it emphatically is --- you'd still be contending with a "personal CA" that in most cases would have its root of trust in a PKI operated by world governments, most of which have a demonstrated aptitude for manipulating the DNS.
WebPKI is already making this mistake (due to ACME). DANE at least is honest about it?
OK, even so, let's examine it? The premise of CT is already a bit dubious: it involves being able to figure out, after the fact, that there was a certificate issued which should not have been issued, and the attack has already been performed. The only reason this makes any sense at all is because it (supposedly) provides an incentive to people not to participate in the attack in the first place...
...but, the assumption of this is pretty much always that the party that is at fault in such a scenario is always the CA. Only, the premise of ACME undermines that: if the government decides to take over the DNS record, Let's Encrypt absolutely will issue the certificate, and it absolutely wouldn't be their fault. If we did punish them for it, then what we are really saying is that ACME is a bad idea within WebPKI.
(BTW: a big part of your argument against DNSSEC always relies on "people aren't able to do it correctly", and if we apply that to CT the situation also sucks: as the expiration time for certificates goes lower and lower, the number of certificates I'm being issued goes up and up, and unless I have a durable central log of my requests--and no normal installation does--I can't verify any of the information from CT anyway.)
(Yes: we could build that software, so that Apache won't re-issue my certificates without first making sure that the request has been logged durably into a database, and there is software that also goes around scavenging CT to check if my certificate is mis-issued, but I hesitate to be that charitable, given that you have spent years ignoring people who assert that clients, not resolvers, must verify DNSSEC.)
(And, to take this as a moment to push back here on another of your refrains: yes, people can get DNSSEC wrong and accidentally publish their keys... but, the likelihood they will do something that dumb--despite not doing so for TLS--is way lower than the almost-certainty that they aren't going to even know what CT is, much less track it--and, critically, report after-the-fact "oops too late" attacks--for mis-issuance.)
I think the fundamental design of DNSSEC is wrong. Its role in Internet security is mostly as a vector to keep 1990s cryptography in common use. Offline signing was wrong. Signing and not encrypting was wrong. The model we ended up with for authenticated denial is wrong. The trust model is wrong. Top-down deployment, rather than bottom-up with incremental value: wrong. It's really hard to look at DNSSEC as a design and find anything right with it.
I don't blame the DNSSEC authors for this; they were working with constraints and assumptions that got rewritten in the 2000s. I do blame the DNSSEC non-authors who refuse to accept the idea that the IETF could have gotten something wrong and are still trying to push this contraption on people.
Finally, as I keep saying: we're never going to get "DNS transparency". Governments run the roots of the DNS hierarchy. Governments don't run CAs, and even then, a single browser had to amass so much market power that they could dictate terms to the CAs (and, in the process, kill some of the largest CAs) in order to make CT happen. That simply cannot happen with the DNS.
The dumbest thing about all of this is that the only purpose DNSSEC still serves is as an extra layer of authentication for domain-based WebPKI challenges. Nobody needs to change their zones to get better security than that! We can just run a protocol between the CAs and the registrars (it exists!).
If we accept this thesis, it means that the only reason we are able to have a secure internet is because we also have a monopoly on browser technology; and like, we don't want there to be a monopoly on browser technology, right? That means the current situation is unstable at best until we finally manage to regulate that monopoly out of existence... or, and maybe you feel this is the worst case scenario, attempt to turn it into a public good.
> Governments run the roots of the DNS hierarchy.
That this is true has some devastating consequences that I feel as if I've never seen you discuss, as TLS has not, does not, (seemingly) will not, and potentially even cannot fix the problem that a government is in a position to subvert the DNS hierarchy: it is just a fundamental property of deciding to build the web on top of a federated namespace managed by governments. We need to fix this at the web-protocol level by ditching the current TLD authority for something that isn't governmental (and is more distributed, not federated).
I mean, let's look at surveillance that doesn't even require a certificate: 1) governments are in a position to redirect traffic to websites within their namespace by forging the DNS records anywhere under their TLD; 2) IP doesn't provide any protection against someone forwarding the encrypted packets; and 3) TLS only encrypts the content, but doesn't have any mechanism to encrypt the metadata of the communication channel (timing and length)...
...this is already devastating, as not only does it let you target small regions of people and determine if they are accessing a website, it also (and this is the thing that I find not enough people really internalize correctly) let's you know exactly what those users are accessing with high certainty, as you can see the approximate size of the responses to their requests. This technique has been successfully implemented in the past to figure out not merely which page of a site you are visiting, but what region of Google Maps you are looking at (based on patterns of map tile sizes), what video on YouTube you are looking at (based on patterns of video chunk sizes), and (maybe the most incredible) what your search query is (based on patterns of type-ahead suggestion lists: every keystroke causes a new request with a new JSON response of a different size; I think they did it for PornHub).
> Finally, as I keep saying: we're never going to get "DNS transparency".
I think you're throwing up your hands in defeat at something that we actually can fix in the browser stacks: simply add a new TLD that stores all of its second-level records on a blockchain. We already have some of these... they aren't designed well, as they don't have people who actually know much about the needs of internet protocols involved (the level of "defeat snatched from the jaws of victory" in this space is simply insane), but if people like us constantly point in the correct direction, we can pull this off.
Or like, hell: maybe you find distributed blockchain tech distatesful... what if the EFF partnered with Google to manage a new TLD? Hell: Google already manages a TLD in a similar conceptual space (the one where Chrome requires HTTPS on all connections)! And then, what if they decided that DNS transparency was important enough to implement a scheme similar to the CA transparency lists for it? It would take some effort to come up with the correct design for this, but it isn't as if CA transparency was easy to pull off or is in any way perfect even today: it is a shaky system that only sometimes helps, but you care anyway!
That isn't going to happen if you just write off DNS transparency as so impossible that it isn't even worth discussing. If you, instead, consistently said DNS transparency is really important, even though it is hard, maybe people at Google, EFF, Apple, Mozilla, or who all else might be relevant for this might suddenly get inspired to work on it... and, sure: to do it as a new TLD doesn't fix the problem immediately, but new websites are launched all the time, new TLDs already are successfully booted (even by Google), developers seemingly like to jump on fad TLDs, and if you start somewhere, maybe the pressure will slowly cause some of the existing TLDs to do something similar.
Sure, DNSSEC might be a non-starter... but like, replacing DNSSEC is equivalent to fixing it, if you are willing to take a long-enough term approach to your advocacy efforts.
You're accusing me of "throwing my hands up". But you're also writing a comment that suggests maybe it's not a big deal if TLS certificates can get spoofed by state adversaries; how could it be worse than how things are now?
I mean: in a sense, I get it, because I don't think any of this is the high order bit of Internet security, which has a lot more to do with xnu and Android kernel security decisions than with all this protocol ceremony.
As I keep saying, the fact that DNSSEC is essentially a key escrow system run by world governments is just one of my objections, and not the one I personally care most about. What I care most about is spending hundreds of millions of dollars in a forklift upgrade of a core Internet protocol, all to take several steps backwards in Internet security.
Without a way to measure, nothing happens. There was once a few, UX-hostile DNSSEC & DANE browser extensions but these never worked well and were discontinued.
Purveyors of functional DNSSEC: https://freebsd.org
The original registrar, Network Solutions, doesn't even fully support DNSSEC. You can only get it if you pay them an extra $5/mo and let them serve your DNS records for you. So for $5/mo you get DNSSEC, but you defer control of your records to them, which isn't really secure.
https://community.cloudflare.com/t/dnssec-on-network-solutio...
At work this week I was hand-holding a DB engineer who was installing some (corporate, not Web PKI) certs and it reminded me of those bad old days. He's got a "certificate" and because this isn't my first rodeo, I ask him to describe it in more details before he just sends me it to look at. Of course it's actually a PKCS#12 file, and so if he'd sent that the key which is inside it is compromised - but he doesn't know that, the whole system was introduced to him as a black box which renders him unable to make good decisions. Out of that conversation we got more secure systems (fixing some issues that pre-existed the fault I was there to help with) and an ally who understands what the technology is actually for and is now trying to help us deliver its benefits rather than just following rote instructions they don't understand.
Anyway, just as we went from "I dunno, I clicked a button and typed in the company credit card details, then I got emailed this PFX file to put on the server" to "Click yes when it asks if you want Let's Encrypt" with both an invisible improvement to delivered security and a simpler workflow, that's very much possible for DNSSEC if people who want to solve the problem put some work in, rather than contentedly announcing that it can't be fixed and we shouldn't worry about it.
But for several decades, DNSSEC proponents have been complaining about the vocal detractors, rather than actually addressing the problems that have been identified. That's a pretty significant track record on which to make a fair judgment about who is making the strongest case.
Someone above offered a link [1] that gives some pretty good reasons why nobody is stepping up to fix the problems.
[1] https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/
The most important work to put in isn’t tweaking DNSSEC but changing it from the pre-PC Internet model where everyone completely trusted their network operators – pushing signature validation out to the client and changing the operating system APIs to make better user interfaces possible.
If one uses them.
One can alternatively use iterative queries where no "DNS resolver", i.e., recursive resolver, is used.
Many years ago I wrote a system for interative resolution for own use, as an experiment. I learnt that it can be faster than recursive resolution.
People have since written software for iterative resolution, e.g., https://lizizhikevich.github.io/assets/papers/ZDNS.pdf
Unfortunately authoritative servers generally do not encrypt their responses. IMO this would be more useful than "DNSSEC".
"And that data is often provided by authoritative servers."
What are examples of data not provided by authoritative servers.
If this is true, then one might assume DNSSEC is generally unnecessary if one is running their own unshared cache only accessible from the loopback or the LAN
Software like djb's dnscache, a personal favourite, has no support for DNSSEC
NLNet's unbound places a strong emphasis on supporting DNSSEC. The unbound documentation authors recommend using it
https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/...
Security is about being a sufficiently hardened target, so that the lazy attacker seeks easier prey.
Anyone could quickly build a public cryptographically secure blockchain-based DNS system where people could optionally sync and query their own nodes (without even going over the wire). People could buy and own their domain names on-chain using cryptocurrency instead of repeatedly renting them from some centralized entity.
You could easily build this today by creating a Chrome Extension with a custom URL/address bar which bypasses the main one and makes a call to blockchain nodes instead of a DNS resolver; it would convert a domain name into an IP address by looking up the blockchain. This system could scale without limit in terms of reads as you can just spin up more nodes.
I mean it'd be so easy it's basically a weekend project if you use an existing blockchain as the base. Actually Ethereum already did something like this with .ETH domains but I don't think anyone built a Chrome Extension yet; or at least I haven't heard, though it's possible to enable in Brave browser via settings (kind of hidden away). Also, there is Unstoppable Domains.
Adoption is critical for alternate roots, so the first question has to be how something gets enough users for anyone to feel it’s worth the trouble of using: the failure mode of DNS is that links break, email bounces, and tons of things which do server-side validation reject it, so this really limits usage.
The other big problem is abuse. Names are long term investments, so there are the usual blockchain problems of treating security as an afterthought but you also have the problem that third-parties have a valid need to override the blockchain (e.g. someone registers Disney.bit and points it at a porn site or serves malware from GoogleChrome.eth). Solving that means that you’re back to trusting the entity which created the system or maybe a group of operators, so the primary appeal is going to be if you can make it cheaper than owning a traditional domain.
It’s hard to care about something like that, even if it really does matter behind the scenes.
- DNSSEC auto-signing is tightly integrated into all authoritative DNS daemons instead of being a set of scripts, cron jobs and other bolt-on concepts. i.e. I never see a key, a script, etc... The daemon logs everything it is parsing and loading when set to verbose or debug.
- My primary and secondary servers and other peoples servers all present a DNSSEC-autosign(ed) capability during AXFR/IXFR negotiation and the server knows what to do with it and what additional sanity checks to perform.
- Zone transfers are universally encrypted by all DNS daemons. All of them. Every secondary service one could stumble upon must support XoT Encrypted Zone Transfer. Currently supported by NSD and Bind. RFC 9103. Otherwise this is just a LARP. Optionally also DNS over QUIC RFC 9250
- Primary and Secondary servers do sanity checks to determine if I am about to step on my own landmine and will rudely and hopefully quite offensively refuse to activate any changes if something seems off.
- Optionally and optimally I would like to see all of the ROOT servers support DoT with a long lived cert and all that implies. This could be a separate set of physical servers that intercept/DNAT port 853 to cache the load off the actual ROOT servers.
This is what SSH CA's are for.
Best for anonymous mobile.
tptacek•7mo ago
It's a fun site! I'm not entirely sure why the protagonist is a green taco, but I can see why a DNS provider would make a cartoon protocol explainer. It's just that this particular protocol is not as important as the name makes it sound.
immibis•7mo ago
Note that without DNS security, whoever controls your DNS server, or is reliably in the path to your DNS server, can issue certificates for your domain. The only countermeasure against this is certificate transparency, which lets you yell loudly that someone's impersonating you but doesn't stop them from actually doing it.
tptacek•7mo ago
iscoelho•7mo ago
tptacek•7mo ago
avidiax•7mo ago
Unfortunately, DNSSEC is a bit expensive in terms of support burden, additional bugs, reduced performance, etc. It will take someone like Apple turning DNSSEC validation on by default to shake out all the problems. Or it will take an exploitable vulnerability akin to SIM-swapping to maybe convince Let's Encrypt! and similar services reliant on proof-by-dns that they must require DNSSEC signing.
tptacek•7mo ago
immibis•7mo ago
(The biggest problem in this thread is that you can bypass the rate limit but nobody else can)
tptacek•7mo ago
saurik•7mo ago
immibis•7mo ago
immibis•7mo ago
tptacek•7mo ago
iscoelho•7mo ago
At this point, your statements border on intentional dishonesty. Please be more truthful and responsible in your statements.
tptacek•7mo ago
teddyh•7mo ago
Avamander•7mo ago
Hijacking by whom? Very few are really running a validating recursive resolver.
theamk•7mo ago
Just create a secure path from CA to registrar. RDAP-based or DoH-based, or something from scratch, does not really matter. It will only need to cover few thousand CAs and TLDs, so it will be vastly simpler that upgrading billions of internet devices.
iscoelho•7mo ago
"For instance, in April 2018, a Russian provider announced a number of IP prefixes (groups of IP addresses) that actually belong to Route53 Amazon DNS servers."
By BGP hijacking Route53, attackers were not only able to redirect a website to different IPs, globally, but also generate SSL certificates for that website. They used this to steal $152,000 in cryptocurrency. (I know I know, "crypto", but this can happen to any site: banking, medical, infrastructure)
Also, before you say, RPKI doesn't solve this either, although a step in the right direction. DNSSEC is a step in the right direction as well.
[1] https://www.cloudflare.com/learning/security/glossary/bgp-hi...
tptacek•7mo ago
iscoelho•7mo ago
DNSSEC does greatly assist with this issue: It would have prevented the cited incident.
tptacek•7mo ago
iscoelho•7mo ago
1. Hijack the HTTP/HTTPS server. For some IP ranges, this is completely infeasible. For example, hijacking a CloudFlare HTTP/HTTPS range would be almost impossible theoretically based on technical details that I won't go through listing.
2. Hijack the DNS server. Because there's a complete apathy towards DNS server security (as you are showing) this attack is very frequently overlooked. Which is exactly why in the cited incident attackers were capable of hijacking Amazon Route53 with ease. *DNSSEC solves this.*
If either 1 or 2 work, you have yourself a successful hijack of the site. Both need to be secure for you to prevent this.
tptacek•7mo ago
At this point, you might as well just have the CABForum come up with a new blessed verification method based on RDAP. That might actually happen, unlike DNSSEC, which will not. DNSSEC has lost signed zones in North America over some recent intervals.
I do like that the threat model you propose is coherent only for sites behind Cloudflare, though.
iscoelho•7mo ago
The threat model I proposed is coherent for Cloudflare because they have done a lot of engineering to make it almost impossible to globally BGP hijack their IPs. This makes the multi-perspective validation actually help. Yes, other ISPs are much more vulnerable than Cloudflare, is there a point?
You are not saying DNSSEC doesn't serve a real purpose. You are saying it is annoying to implement and not widely deployed as such. That alone makes me believe your argument is a bit dishonest and I will abstain from additional discussion.
tptacek•7mo ago
If we really wanted to address this particular attack vector in a decisive way, we'd move away, at the CA level, from relying on the DNS protocol browsers use to look up hostnames altogether, and replace it with direct attestation from registrars, which could be made _arbitrarily_ secure without the weird gesticulations DNSSEC makes to simultaneously serve mass lookups from browsers and this CA use case.
But this isn't about real threat models. It's about a tiny minority of technologists having a parasocial relationship with an obsolete protocol.
xorcist•7mo ago
tptacek•7mo ago
If people were serious about this, they'd start by demanding that every DNS provider accept U2F and/or Passkeys, rather than the halfhearted TOTP many of them do right now. But it's not serious; it's just motivated reasoning in defense of DNSSEC, which some people have a weird stake in keeping alive.
iscoelho•7mo ago
tptacek•7mo ago
The companies you're deriding as unserious about security in general spend drastically more on security than the companies that have adopted it. No part of your argument holds up.
iscoelho•7mo ago
Citation? A BGP hijack can be done for less than $100.
"You can't just name call your way to getting this protocol adopted"
I do not care if you adopt this protocol. I care that you accurately inform others of the documented risks of not adopting DNSSEC. There are organizations that can tolerate the risk. There are also organizations that are unaware because they are not accurately informed (due to individuals like yourself), and it is not covered by their security audits. That is unfortunate.
tptacek•7mo ago
cyberax•7mo ago
Wait, wait, wait. How can you hijack a DNSSEC server? Its keys are enrolled in the TLD, and you can't spoof the TLD server, because its keys in turn are enrolled in the root zone. And the root zone trust anchor is statically configured on all machines.
belorn•7mo ago
High-end registrars that focus on portfolios and brand management generally do have any kind of authentication that the customers want, and the price will reflect that. Costumers are not just buying the service of a middle man that acts as a go-between the TLD and the domain owner.
baobun•7mo ago
phillipseamore•7mo ago
tptacek•7mo ago
iscoelho•7mo ago
tptacek•7mo ago
For starters you could try `dig +short ds google.com`. It'll give you a flavor of what to expect.
daneel_w•7mo ago
growse•7mo ago
It's the latter.
tptacek•7mo ago
You're not going to take my word for it, but you could take Geoff Huston's, who recently recorded a whole podcast about this.
marcusb•7mo ago
marcusb•7mo ago
zahllos•7mo ago
An argument for DNSSEC is any service configured by SRV records. It might be totally legitimate for the srv record of some thing or other to point to an A record in a totally different zone. From a TLS perspective you can't tell, because the delegation happened by SRV records and you only know if that is authentic if you either have a signed record, or a direct encrypted connection to the authoritative server (the TLS connection to evil.service.example would be valid).
So it depends what you expect out of DNS.
iscoelho•7mo ago
acdha•7mo ago
iscoelho•7mo ago
zahllos•7mo ago
DCV is CA/B speak for domain-control validation; CAA = these are my approved CAs.
This seems to be optional in the sense that: if a DNS zone has DNSSEC, then validation must succeed. But if DNSSEC is not configured it is not required.
muppetman•7mo ago
You have to be so insanely careful and plan everything to the nth degree otherwise you break everything: https://internetnz.nz/news-and-articles/dnssec-chain-validat...
The idea is important. What it aims to protect is important. The current implementation is horrible, far too complex and fraught with so many landminds that no one wants to touch it.
If Geoff Huston is suggesting it might be time to stick a fork in DNSSec because it's done, then IMHO it's well cooked. https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/
iscoelho•7mo ago
I am saying it is dishonest to discount the real security threat of not having DNSSEC.
muppetman•7mo ago
tptacek•7mo ago
But the person you're replying to believes we should hasten deployment of DNSSEC, the protocol we have now.
iscoelho•7mo ago
Sadly, we live in this reality for now, so we do what we can with what we have. We have DNSSEC.
tptacek•7mo ago
muppetman•7mo ago
I saying say I agree with the statement "I am saying it is dishonest to discount the real security threat of not having DNSSEC."
I believe we do need some way to secure/harden DNS against attacks, we can't pretend that DNS as it stands is OK. DNSSEC is trying to solve a real problem - I do think we need to go back to the drawing board on how we solve it though.
tptacek•7mo ago
It's fine that we all agree on some things and disagree on others! I don't think DNS security is a priority issue, but I'm fine with it conceptually. My opposition is to the DNSSEC protocol itself, which is a dangerous relic of premodern cryptography designed at a government-funded lab in the 1990s. The other commenter on this thread disagrees with that assessment.
slightly later
(My point here is just clarity about what we do and don't agree about. "Resolving" this conflict is pointless --- we're not making the calls, the market is. But from an intellectual perspective, understanding our distinctive positions on Internet security, even if that means recognizing intractable disputes, is more useful than just pretending we agree.)
belorn•7mo ago
I remember back in the days when people discouraged people from using encrypted disks because of the situation that could happen if the user lost their passwords. No disk encryption algorithm can solve the issue if the user does not have the correct password, and so the recommendation was to not use it. Nowadays people usually have TPMs or key management software to manage keys, so people can forget the password and still access their encrypted disks.
DNSSEC software is still not really that developed that they automatically include basic tests and verification tools to make sure people don't simply mix up keys. They assume that people write those themselves. Too many times this happens after incidents rather than before (heard this in so many war stories). It also doesn't help that dns is full of caching and caching invalidation. A lot of the insane step-by-step plans comes from working around TTL's, lack of verification, basic tooling, and that much of the work is done manually.
dwattttt•7mo ago
This problem is accurate, but it's the framing that makes it wrong.
No disk encryption algorithm can simultaneously protect and not protect something encrypted, what you're missing is the protocol/practices around that, and those are far less limited.
There is heaps of encryption around these days, there are people losing access to their regular keys, and yet procedures that recover access to their data while not entirely removing the utility of having encrypted data/disks.
josephcsible•7mo ago
daneel_w•7mo ago
If you're on the root/TLD end of things I agree. Certainly not if you're a domain owner or name server administrator on the customer end of things.
1over137•7mo ago
So has failing to renew TLS certificates. So what?
pvg•7mo ago
cyberax•7mo ago
tptacek•7mo ago
bombcar•7mo ago
viraptor•7mo ago
bombcar•7mo ago
viraptor•7mo ago
cyberax•7mo ago
There are also operational risks, as Let's Encrypt has to have their secret key material in close proximity to web-facing services. Of course, they use HSMs, but it might not be enough of a barrier for nation-state level attackers.
The offline signing feature of DNSSEC allows the root zone and, possibly, the TLDs to be signed fully offline.
That's why in my ideal world I want to keep DNSSEC as-is for the root zone and the TLD delegation records, but use something like DoH/DoT for the second-level domains. The privacy impact of TLD resolution is pretty much none, and everything else can be protected fully.
tptacek•7mo ago
cyberax•7mo ago
tptacek•7mo ago
burnt-resistor•7mo ago
- ECC vs. non-ECC memory and bitsquatting when people said "oh, it doesn't matter and it's too expensive for no benefit."
- http:// was, for years, normalized pre-PRISM.
- Unsecured DNS over 53/tcp+udp (vs. DoH today) is a huge spoofing and metadata collection threat surface.
rsync•7mo ago
Genuinely curious:
What actor, in 2025, would exist in your threat model for DoH ... but wouldn't simultaneously be sniffing SNI ?
I can't think of any.
I cannot think of any good reason to be serious about DoH and DNS leakage in the presence of unencrypted SNI.
What am I missing ?
iscoelho•7mo ago
It is also public knowledge that certain ISPs (including Xfinity) sniff and log all DNS queries, even to other DNS servers. TLS SNI is less common, although it may be more widespread now, I haven't kept up with the times.
growse•7mo ago
iscoelho•7mo ago
1vuio0pswjnm7•7mo ago
immibis•7mo ago
ikiris•7mo ago
1oooqooq•7mo ago
they not only intercepted your traffic for profiling but also injected redirects to their branded search. honestly curious if you're just too young or was one of the maybe 10 people who never experienced this.
sending traffic to a third party like quad9 is much safer than to a company who have your name/address/credit card.
nine_k•7mo ago
There is a huge demand for securing DNS-related things, but DNSSEC seems to be a poor answer. DoH is a somehow better answer, with any shortcomings it may have, and it's widely deployed.
I suspect that a contraption that would wrap the existing DNS protocol into TLS in a way that would be trivial to put in front of an existing DNS server and an existing DNS client (like TLS was trivial to put in front of an HTTP server), might be a runaway success. A solution that wins is a solution which is damn easy to deploy, and not easy to screw up. DNSSEC is not it, alas.
iscoelho•7mo ago
pvg•7mo ago
nine_k•7mo ago
ClumsyPilot•7mo ago
nine_k•7mo ago
The problem is more in the fact that TLS assumes creation of a long-living connection with an ephemeral key pair, while DNS is usually a one-shot interaction.
Encrypting DNS would require caching of such key pairs for some time, and refreshing them regularly but not too often. Same for querying and verifying certificates.
TZubiri•7mo ago
mike_d•7mo ago
DNSSEC was built for exactly one use case: we have to put root/TLD authoritative servers in non-Western countries. It is simply a method for attesting that a mirror of a DNS server is serving what the zone author intended.
What people actually want and need is transport security. DNSCrypt solved this problem, but people were bamboozled by DNSSEC. Later people realized what they wanted was transport security and DoH and friends came into fashion.
iscoelho•7mo ago
There is also no reason we can't have both.
tptacek•7mo ago
iscoelho•7mo ago
tptacek•7mo ago
(Actually getting it to work reliably without downgrade attacks would be more work, but notably, that's work DNSSEC would have had to do too --- precisely the work that caused DANE-stapling to founder in tls-wg.)
cyberax•7mo ago
There's still a chicken-and-egg problem with getting a valid TLS certificate for the DNS server, and limiting DNSSEC just for that role might be a valid approach. Just forget that it exists for all other entry types.
tptacek•7mo ago
But if you have DoH chaining all the way from the recurser to the authority, it's tricky to say what stapled DANE signatures are even buying you. The first consumers of that system would be the CAs themselves.
cyberax•7mo ago
This way, it can be used to guarantee the integrity of the resolution path without first getting a certificate from a CA.
tptacek•7mo ago
cyberax•7mo ago
tptacek•7mo ago
acdha•7mo ago
https://doublepulsar.com/hijack-of-amazons-internet-domain-s...
https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/
iscoelho•7mo ago
https://blog.citp.princeton.edu/2022/03/09/attackers-exploit...
Noteworthy: "Additionally, some BGP attacks can still fool all of a CA’s vantage points. To reduce the impact of BGP attacks, we need security improvements in the routing infrastructure as well. In the short term, deployed routing technologies like the Resource Public Key Infrastructure (RPKI) could significantly limit the spread of BGP attacks and make them much less likely to be successful. ... In the long run, we need a much more secure underlying routing layer for the Internet."
tptacek•7mo ago
jcranmer•7mo ago
You start with a BGP hijack, which lets you impersonate anybody, but assume that the hijacker is only so powerful as being able to impersonate a specific DNS server and not the server that the DNS server tells you about. You then use that specific control to get a CA to forge a certificate for you (and if the CA is capable of using any information to detect that this might be a forgery, the attack breaks).
And of course, the proposed solution doesn't do anything to protect against other kinds of DNS hijacking--impersonating somebody to the nameserver and getting the account switched over to them.
iscoelho•7mo ago
You claim it is fine-tuned, but it has happened in the real world. It is actually even better for attackers that it is "obscure", because that means it is harder to detect.
> but assume that the hijacker is only so powerful as being able to impersonate a specific DNS server and not the server that the DNS server tells you about.
Yes, all layers of the stack need to be secure. I am not making assumptions about the other layers - this thread is about DNS.
> if the CA is capable of using any information to detect that this might be a forgery
They are not. The only mitigation is "multi-perspective validation", which only addresses a subset of this attack.
> And of course, the proposed solution doesn't do anything to protect against other kinds of DNS hijacking
Yes, because other kinds of DNS hijacking are solved by HTTPS TLS. If TLS and CAs are broken, nothing is secure.
dwattttt•7mo ago
Sure, but it seems like his comment is still responsive; if DNSSEC is deployed, they perform a BGP hijack & can impersonate everyone, and they just impersonate the server after the DNS step?
If that's the threat model you want to mitigate, it seems like DNSSEC won't address it.
iscoelho•7mo ago
Yes, there are different mitigations to prevent BGP hijacking the webserver itself. Preventing a rogue TLS certificate from being issued is the most important factor. CAA DNS records can help a bit with this. DNS itself however is easiest solved by DNSSEC.
There are a lot of mitigations to prevent BGP hijacks that I won't get too much into. None are 100%, but they are good enough to ensure multi-perspective validation refuses to issue a TLS certificate. The problem is that if those same mitigations are not deployed on your DNS servers (or you outsource DNS and they have not deployed these mitigations) it is a weak link.
tptacek•7mo ago
So far your response to this has been "attackers can't do this to Cloudflare". I mean, stipulated? Good note? Now, can you draw the rest of the owl?
iscoelho•7mo ago
tptacek•7mo ago
The thread is right here for everyone to read.
iscoelho•7mo ago
tptacek•7mo ago
saurik•7mo ago
cyberax•7mo ago
An attacker impersonating a DNS server still won't be able to forge the DNSSEC signatures.
tptacek•7mo ago
cyberax•7mo ago
akerl_•7mo ago
The sequence there is:
1. I hijack traffic destined for an IP address
2. Anything whose DNS resolves to that IP, regardless of whether or not they use DNSSEC, starts coming to me
In this model, I don't bother trying to hijack the IP of a DNS server: that's a pain because with multi-perspective validation, I plausibly have to hijack a bunch of different IPs in a bunch of different spots. So instead I just hijack the IP of the service I want to get a malicious cert for, and serve up responses to let me pass the ALPN ACME challenge.
cyberax•7mo ago
So DNSSEC still offers protection here.
akerl_•7mo ago
That feels like a pretty narrow gain to justify strapping all this to all my zones and eating the operational cost and risk that if I mess it up, my site stops existing for a while
cyberax•7mo ago
No. I'm saying that you can _not_ hijack a DNSSEC-enabled DNS name, even if you have a full control over the network.
The DNSSEC public keys for the domain are stored in the top-level domain zone. Which in turn is protected by a signature with the key from the root zone.
akerl_•7mo ago
In the case of attacking the ALPN ACME validation, they hijack the IP address of the site they want a TLS certificate for: example.org resolves to 1.2.3.4, I hijack traffic to 1.2.3.4, the DNS flow is unchanged, the verification traffic comes to me, and I get a certificate for example.org
The DNS server hijack works the same way: I don’t try to change what ns1.example.org resolves to. I hijack traffic to the real IP that it resolves to and serve up responses for the site I want to hijack saying “yea, these are the records you want and don’t worry, the DS bit is set to true”.
Though it’s worth remembering that both DNS and BGP attacks are basically a rounding error compared to the instances of ATO-based attacks
cyberax•7mo ago
> In the case of attacking the ALPN ACME validation, they hijack the IP address of the site they want a TLS certificate for: example.org resolves to 1.2.3.4, I hijack traffic to 1.2.3.4, the DNS flow is unchanged, the verification traffic comes to me, and I get a certificate for example.org
As I said, a CAA record in DNS will prohibit this, instructing the ACME CA to use the DNS challenge.
> I hijack traffic to the real IP that it resolves to and serve up responses for the site I want to hijack saying “yea, these are the records you want and don’t worry, the DS bit is set to true”.
And then your faked DNS replies will have a wrong signature because you don't have the private key for the DNS zone.
And DNSSEC-validating clients will detect this because the top-level domain will have a DNSKEY entry for the hijacked domain. You can't fake the replies from the top-level domain DNS because it in turn will have a DNSKEY entry in the root zone.
kbolino•7mo ago
Now, this kind of attack would likely be more visible and thus detected sooner than one targeted at a specific site, and just because there is a threat like this doesn't mean other threats should be ignored or downplayed. But it seems to me that BGP security needs to be tackled in its own right, and DNSSEC would just be a leaky band-aid for that much bigger issue.
tptacek•7mo ago
This is a problem with TLS too, of course, because of domain validation. But the WebPKI responded to that problem with Certificate Transparency, so you can detect and revoke misissued certificates. Not only does nothing like that exist for the DNS, nothing like it will exist for the DNS. How I know that is, Google and Mozilla had to stretch the bounds of antitrust law to force CAs to publish on CT logs. No such market force exists to force DNS TLD operators to do anything.
My (ahem) "advocacy" against DNSSEC is understandably annoying, but it really is the case that every corner of this system you look around, there's some new goblin. It's just bad.
iscoelho•7mo ago
throwaway313313•7mo ago
Yes ASPA is new. Reference implementations in open source routing daemons and RPKI tools are being developed and rolled out. If you want to be a pioneer you can run a bird routing daemon and secure the routes with ASPA. Only experimenters have created ASPA records at this point, however once upon a time we were in the same position with RPKI.
throw0101d•7mo ago
See also IPv6. ;)
Edit: currently at "0 points". People, it was a joke. Chill.
tptacek•7mo ago
throw0101d•7mo ago
I'm not. Neither is my home wireline PON ISP, even though they have it on their mobile network (but my previous ISP did).
Also, every time there's an IPv6 article on HN there are entire sub-threads of people saying it's never going to come along. ¯\_(ツ)_/¯
* https://news.ycombinator.com/item?id=44306792
JdeBP•7mo ago
But the clear evidence is that past promises of it arriving at those major ISPs are very hollow indeed.
It's not the same with DNSSEC in the U.K., though. Many WWW hosting services (claim to) support that right now. And if anything, rather than there being years-old ineffective petition sites clamouring for IPv6 to be turned on, it is, even in 2025, the received wisdom to look to turning DNSSEC off in order to fix problems.
* https://codepoets.co.uk/2025/its-always-dns-unbound-domain-s...
* https://www.havevirginmediaenabledipv6yet.co.uk
One has to roll one's eyes at how many times the-corporation-disables-the-thread-where-customers-repeatedly-ask-for-simple-moderen-stuff-for-10-years is the answer. It was the answer for Google Chrome not getting SRV lookup support. Although that was a mere 5 years.
JdeBP•7mo ago
api•7mo ago
A lot of protocols get unstable behind layers of NAT too, even if they're not trying to do end to end / P2P. It adds all kinds of unpredictable timeouts and other nonsense.
acdha•7mo ago
throw0101d•7mo ago
And yet every article on IPv6 has entire brigades of folks of folks going on about IPv6 is DOA, and "I've been here about it for thirty years, where is it?", and "they should have done IPv4 just with larger addresses, adoption would have been much faster and more compatible".
I'm simply pointing out the parallel argument that was made between DNSSEC and IPv6.
acdha•7mo ago
1. https://radar.cloudflare.com/dns
toast0•7mo ago
IPv6 probably could have been done better and rolled out faster, and whoever works on IPvNEXT should study what went wrong, but eventually it became better than alternative ways of dealing with a lack of IPv4 addresses, and it started getting real deployment.
everfrustrated•7mo ago
TZubiri•7mo ago
https://serverfault.com/questions/1018543/dns-not-resolving-...
Unfortunately the basic thought process is that "it is a security feature, therefore it must be enabled" it is very hard to argue against that, but it is pretty similar to "we must have the latest version of everything as that is secure" and "we should add more passwords with more requirements and expire it often". One of those security theatres that optimizes for reducing accountability, but may end up with almost no security gains and huge tradeoffs that may end up even compromising security through secondary effects (how secure is a system that is down?)