|
|
Log in / Subscribe / Register

Laurie: Improving SSL certificate security

Laurie: Improving SSL certificate security

Posted Apr 2, 2011 14:47 UTC (Sat) by Lennie (subscriber, #49641)
In reply to: Laurie: Improving SSL certificate security by kleptog
Parent article: Laurie: Improving SSL certificate security

Also for DNSSEC to be a succes we need to get a number of things to right before it will happen:

- validation at the provider-level is not enough if you want to use it for SSL/TLS, so you need validation on the client where the browser runs on maybe inside the browser.

- the clock of that client needs to be in sync. SSL-certs are valid for months or some years. But DNS-records are only valid for days or hours, maybe months. Sometimes seconds.

- In Germany they did a test with DSL-/cable-/SOHO-routers and most of them block DNSSEC or don't allow the fallback to work, so they all need to be fixed or replaced or atleast worked around (actually it was large DNS-responses, not DNSSEC specifically, with IPv6 large DNS-responses are also more likely). Many don't allow TCP as a fallback for example.

- Almost no one has DNSSEC deployed right now, about 20% of the top-level-domains have now been signed with DNSSEC. The day before yesterday .com got signed. But not all of them allow customers to get DNSSEC-signed domains and most domain registrars don't have their processes/software in place to register/deploy DNSSEC-signed domains yet.

- The hosting providers need to support it, but they are really hard to find right now.

- The experts need to make up their mind and define a protocol and implement it, I've already seen 5 proposals and old RFC and still they created this DANE proposal. Atleast they have the IETF involved this time, so maybe they are serious.

- Operating system providers need to implement it (resolver library should do/allow queries with the right bits set).

- The browsers need to implement support for it.

I'm all for it to be deployed, but I think it will take a few years.

to post comments

Laurie: Improving SSL certificate security

Posted Apr 2, 2011 23:16 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

>the clock of that client needs to be in sync. SSL-certs are valid for months or some years. But DNS-records are only valid for days or hours, maybe months. Sometimes seconds.

This is not true. DNSSEC does not rely on TTL of cache entries.

>- Almost no one has DNSSEC deployed right now, about 20% of the top-level-domains have now been signed with DNSSEC. The day before yesterday .com got signed. But not all of them allow customers to get DNSSEC-signed domains and most domain registrars don't have their processes/software in place to register/deploy DNSSEC-signed domains yet.
This is kinda true. A lot of registrars have ability to add DS records along with regular DNS glue if you want to host domains on your own server, but (almost?) nobody has a good web UI.

Laurie: Improving SSL certificate security

Posted Apr 3, 2011 1:44 UTC (Sun) by Lennie (subscriber, #49641) [Link] (2 responses)

> DNSSEC does not rely on TTL of cache entries

DNSSEC is actually pretty complicated

I thought it was:
if the data expired, you should send a new request to the an authoritive server
if the DNSSEC-signature expired, you should send a new request to the an authoritive server.

As the request requests them both at the same time and if available you get both as a response... I would expect:

whichever expires first determines the TTL of both

Laurie: Improving SSL certificate security

Posted Apr 3, 2011 12:10 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

DNSSEC signatures can't 'expire', they just authenticate answers without any additional functionality.

Signatures can become invalid if public keys disappear from relevant DNS servers. But this has nothing to do with TTL and caches.

Laurie: Improving SSL certificate security

Posted Apr 21, 2011 12:19 UTC (Thu) by robbe (guest, #16131) [Link]

> DNSSEC signatures can't 'expire',

They do. Search RFC4034 for "signature expiration".

But Lennie's expire-within-seconds is hyperbole. Normal expiry is in hours or days. If your clock is off a few hours, you have my sympathy. Just fix it already.

Laurie: Improving SSL certificate security

Posted Apr 21, 2011 12:30 UTC (Thu) by robbe (guest, #16131) [Link]

> - Almost no one has DNSSEC deployed right now, [...]

If you want a secured domain now, you can get it -- e.g. a .com from godaddy (there are certainly other possibilities). If DANE generates more demand, I am sure the laggards will catch up. This is not IPv6 where everybody waits on everybody else.

> - The hosting providers need to support it, [...]

You can move just DNS hosting to another provider.

> - Operating system providers need to implement it (resolver library should do/allow queries with the right bits set).

I think the browsers will get there first.

> - The browsers need to implement support for it.

I've seen Chrome and Firefox people on the DANE lists. A kludgy patch for NSS (firefox) exists.

> I'm all for it to be deployed, but I think it will take a few years.

My bet is that in less than two years we will have some browser doing SSL with additional cert-checking done via DNSSEC.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds