Suivre

Sysadmin reminder: 11 october is the root key rollover. Brace yourself and check *today* that the DNS resolver you manage knows both keys, 19036 (the old) and 20326 (the new) icann.org/en/system/files/file

@Shaft This is . Everything is possible (less than two months before the event, the Board is still talking).

@bortzmeyer Okay. See you next year for the rollover then 🤔 (Yes, I choose the half empty glass)

@bortzmeyer yeah no.

F*ck DNSSEC. It is company policy where I work never to use it/validate it.

@szbalint Bad policy. Fire the sysadmin and the IT manager.

People always talk about security but when it comes to practical solutions, nobody wants to do an effort :-(

@bortzmeyer I am the security officer and after careful evaluation, reading the standards, knowing the history we decided it actually increases risk, not decreases it.

We're going to roll out DNS over HTTPS when it's a bit more mature.

@szbalint How does it increase the risk? (I know some people claim it is useless but "increases the risk" is new to me).

@bortzmeyer It trades confidentiality for integrity, it is a massive increase in complexity with no obvious benefit (that someone actually backed up with a threat model), were people to turn on validation it would cause disruption and downtime because it's fragile. It's also 90s crypto. See also: sockpuppet.org/blog/2015/01/15

@szbalint Availability and integrity are two different security services. So, you claim that decreases availability, am I correct?

(I won't comment on sockpuppet.org/blog/2015/01/15 which is full of bullshit and display a serious ignorance of  , specially on the crypto side).

@bortzmeyer I was talking about confidentiality.

That post was written by Thomas Ptacek, who's been reviewing cryptography systems and standards since like 1995. There are very few people in the world more qualified than him to comment on crypto design.

@szbalint @bortzmeyer In technical matters, the argument of authority is the weakest. Noone is free from making errors, not even geniuses: Einstein introduced the cosmological constant just because it felt right to him, and then retracted it when observations proved him wrong (that it still a debate now...). Also everyone has its own agenda to push. While you can trust some more than others based on various past signals, you should never trust anyone 100% and always mix viewpoints.

@pmevzek @szbalint Also, everyone has a domain (pun intended) of knowledge/competence and his/her authority in this domain does not always extend outside. Being good in crypto does not automatically mean you're good in DNS.

expertise / authority Afficher plus

@szbalint @bortzmeyer What is 90s crypto ? You can use elliptic keys if you so wish... The problems are implementations, like always.

@pmevzek @szbalint "90s crypto" is a purely rhetorical effect. First, it assumes that new is always better (on that case, we should use PQ, not ECC crypto), second, in this specific case, it shows Ptacek's deep ignorance of DNSSEC (which is not tied to a specific crypto algorithm).

cryptographic hair splitting Afficher plus

dns minutia Afficher plus

dns minutia Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

dns technicalities Afficher plus

@szbalint @bortzmeyer Like any non trivial technology, DNSSEC has its benefits and drawbacks. The assessment on the risks it mitigates and the new risks it creates will certainly be different for different cases, certainly not the case for a personal blog with 1 visit/day and a bank access to personal accounts. 1/x

@szbalint @bortzmeyer However the problem with DNS over HTTPS is that we declare in that way that middleboxes have won and that the future is ossification, which is both bad and sad. We are stacking two complex protocols that are not a natural fit, and I am sure a ton of vulnerabilities will happen because of that. DNS over TLS makes at least a little more sense than over HTTPS on the technical level, even if you remove UDP out of the equation whose effects are certainly not all known yet 2/x

middleboxes /confidentiality Afficher plus

middleboxes /confidentiality Afficher plus

middleboxes /confidentiality Afficher plus

middleboxes /confidentiality Afficher plus

@szbalint @bortzmeyer More than the technical problems we are also about to create DNS segregationism: it will be (it already is) led by website hosters (and hence by web browsers, latest move in that regard by Mozilla is a very bad signal) because with HTTP/2 you will be able to mix HTTP and DNS traffic in a single HTTP session, which opens the door to all kind of "niceties" like pushing DNS records to you even befeore asking. 3/x

browsers and dns Afficher plus

browsers and dns Afficher plus

@szbalint @bortzmeyer We will see more and more islands of DNS services only targeting the users of the associated hosting services, which will create nightmares of debugging. Also DNS over HTTPS (or even TLS) for now resolves only the problem of access to the resolver, it has no impact on how to reach the authoritative nameservers. 4/x

@szbalint @bortzmeyer Some people seem to dislike DNSSEC also because it mandates you to have a trust anchor, that finally depends on ICANN. Some people have been burnt by the PKIX state in the web world and hence reject centralized trust, and some (the same or others) also dislike ICANN as an organization. However DNS over TLS/HTTPS still need certificates (in general) and hence trust in something. You have DANE of course to bypass and secure that, but how do you secure DANE without DNSSEC? 5/5

Inscrivez-vous pour prendre part à la conversation
Mastodon - Gougère Network

Vive les gougères ! mnt-by: @yapret @papaeng89