[dnssec-deployment] DNSSEC and certificates.
Mike.StJohns at nominum.com
Mon Jan 24 14:55:00 EST 2005
At 05:04 PM 1/20/2005, Jakob Schlyter wrote:
>I say that putting (CA or self-signed) certificates into the DNS and
>looking them up (using DNSSEC) for X.509 path validation when setting up
>the TLS connection would give us a lot. I say it gives us better security
>than what we usually do today. I say the CA people will hate the idea and
>I understand them
Probably not. The reason not is that the chain of trust on the DNS side is
back to the IANA, and that that chain can be interrupted or subverted by
anyone between the leaf and the trust anchor. E.g. say that Bank of
America were stupid enough to get their special BOACONSTRICTOR.COM domain
from Fly-by-Night Registrar's incorporated and say that someone at FBN
twiddles with the NS and DS records for BOACONSTRICTOR.COM. Placing X509
certs in the tree would allow someone at FBN to not only steal the name,
but the system identity (e.g. the TLS cert).
To make this work the way I think you want it to work, the end system would
have to have a copy of the trust anchors for BOACONSTRICTOR.COM. Obviously
this becomes unwieldy in practice.
The TLS X509 structure has its own problems. But its doubtful we can solve
them using DNSSEC.
More information about the Dnssec-deployment