Who DNSSEC here?
https://tools.ietf.org/html/rfc4033
http://www.dnssec.net/
Why do you use it? What do you use it for? Have you considered TLSA (DANE), SSHFP, OPENPGPKEY RRs yet? Discuss.
>>53681401
DANE?
>>53682078
Yes, mate.
https://tools.ietf.org/html/rfc6698
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
DANE is a means to authenticate an entity (such as a web server) is really who the entity says he is, and not just who he says he is on paper (PKIX). The entitiy's presented X.509 certificate must match the TLSA RR found in the authoritative domain, which should be looked up securely using DNSSEC. Further PKIX path validation is optional, depending on your TLSA RR parameters.
>>53682078
summer sure is coming...
Shameless bump.
No one. No one? Really?
This makes me pretty happy.
>>53685028
>No DANE.
Surely not *that* happy.
All these fucking acronyms, ffffffffuck that
>>53685057
You win some, you lose some. It's better than 99% of domains.
Also I don't know what DANE actually does.
>>53685108
>You win some, you lose some. It's better than 99% of domains.
Well, DNSSEC is not that scarcely implemented, I'm sure you agree. It's just that it still eludes me that after a decade it's still not the default for every registrar to implement it.
>Also I don't know what DANE actually does.
That's all right, DANE is a more recent standard. See >>53682193 for more information about DANE.
>>53681401
I would rather support DNSCurve over DNSSEC
Anyway, I have DNSSEC enabled in my local resolver but I don't have it enabled for my own domain. (Don't know if my registrar supports DNSSEC and I don't care to find out)
>>53685299
I would also like to see more DNSCurve usage. Sadly it isn't an IETF standard, which I wonder why? Don't they like djb?
>>53685340
>Don't they like djb?
No way, djb makes crypto that's too secure and too hard to implement wrong.
>>53685299
>Don't know if my registrar supports DNSSEC and I don't care to find out
I checked it out, my TLD doesn't even have a DNSKEY entry. So much for that.
>>53685095
Here's a glossary:
DANE, DNS-Based Authentication of Named Entities, https://tools.ietf.org/html/rfc6698
DNSSEC, Domain Name System Security Extensions, https://tools.ietf.org/html/rfc4033
OPENPGPKEY, OPENPGP public key resource record, https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-08
PKIX, Public Key Infrastructure X.509, https://tools.ietf.org/html/rfc5280
RR, resource record, https://tools.ietf.org/html/rfc1033
SSHFP, Secure Shell Key Fingerprints, https://tools.ietf.org/html/rfc4255
TLSA, see DANE
X.509, see PKIX
>>53685488
That's cryptography done right. I don't think the IETF has anything against that. That's the NSA, FBI, GCHQ and all other government alphabet soup acronyms.
>It's also an archaic 1990s cryptosystem built around 1024-bit PKCS1v15 RSA, which by default makes every DNS record in the system public, trivially dramatically amplifies DNS traffic, and does all this without actually securing DNS lookups from browsers, which still run the old insecure DNS protocol to talk to DNSSEC-enabled caches.
Remind me why I care about DNSSEC?
>>53685683
>implying the IETF doesn't get pressure from the NSA, NIST, FIPS etc.
>>53685687
DNSSEC support more algorithms than 1024-bit RSA, mate. https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
Your source is dated.
>>53685714
That's silly without anything to back this up. The IETF doesn't care about all the implementations that are based on the proposed standards; they just care about the standard itself.
>>53685748
>The IETF doesn't care about all the implementations that are based on the proposed standards
Neither do the NIST or FIPS.
They just care about weakening the standard so that implementors are basically guaranteed to include bugs.
https://youtu.be/Cj3PN5-n108
>>53685833
I've seen that one, and as much as like djb bashing Verizon, this doesn't really have anything to do with the IETF per se, right? The IETF is basically a collection of working groups that's open to everyone. He could have his say if he cared to join and start a draft, which I'm assuming he would be interested in, but I'm sensing there's some friction between them which I can't really get my head around.
>>53685987
I just linked the video to demonstrate why TLAs can and do care about standards organizations.
All I'm saying is that “independent” standards organizations are likely to be neither independent nor unbiased. If somebody powerful enough wants the IETF to care about their wishes, it will.
>>53681401
Has anyone here tried this addon for Firefox?
https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/
It doesn't support the ESR of Firefox so I'm wondering if it's worth it to update to use it.
>>53686342
>>>53685987 (You)
>I just linked the video to demonstrate why TLAs can and do care about standards organizations.
I get that, because it seems plausible, but I don't think they'll succeed.
>If somebody powerful enough wants the IETF to care about their wishes, it will.
I highly doubt that. The IETF isn't an organization that can be 'bought' to push an agenda.
https://www.ietf.org/tao.html
>We reject kings, presidents and voting. We believe in rough consensus and running code
>>53686437
I'm using it on Iceweasel, which is based on Firefox ESR. It's a nice add-on, yes. You sure you're not able to install it from their website either? https://www.dnssec-validator.cz/pages/download.html
>>53686498
I'll try it from there, I tried for the Firefox addon page and it didn't work. I'm running Iceweasel also.
>>53686459
Which is why ISPs and governments pressured the IETF into making HTTP/2 encryption optional
>>53686586
Of course, there's nothing stopping anybody from trying. It doesn't mean they'll succeed, though. Even the Linux kernel project was approached by some TLA asking them to built in a backdoor. Sometimes they succeed though, but not for long. https://www.eff.org/deeplinks/2014/01/after-nsa-backdoors-security-experts-leave-rsa-conference-they-can-trust
>>53686668
>It doesn't mean they'll succeed, though
They already succeeded, see HTTP/2 and the IETF's political agenda.
>>53686668
>RSA encryption tools are an industry standard used by large tech companies and individuals alike, to protect hundreds of millions of people by encrypting our daily online interactions. We trust RSA’s encryption every time we rely on the security of our communications, including our email, financial and e-commerce transactions, medical and legal records, web searches, airplane traffic communications, text messages, and phone calls.
This is the worst fucking name for a company ever. Are they talking about the company or the algorithm, in the second sentence?
>>53681401
I do. Running Unbound.
What are OPENPGPKEY RRs and where have they been implemented?
>>53681401
I would use it if my retarded domain provider supported it. When I asked them about it;
>I have no fuckin' clue what this DNSSEC is, despite working at company that handles domains exclusively.
>>53687154
Whoops, I didn't see the glossary post.
>>53687154
What the fuck am I looking at?
>>53687253
https://www.grc.com/dns/dns.htm
>>53687121
Well, then, that makes me pretty sad I guess. Do you have a reference?
>>53687143
Company. https://en.wikipedia.org/wiki/Dual_EC_DRBG
>>53687176
Please note it's still a draft though.
OP here, thanks for the discussion everybody. Much better than all the consumer threads and such, but I really need to get some sleep now.
Newfag reporting in
Can someone walk me through this? I enabled Yandex's DNS servers in my host file (apparently it prevents phishing sites) . I now want to dive deep into DNSCrypt and DNSSec
>>53687286
>Well, then, that makes me pretty sad I guess. Do you have a reference?
It was mentioned, albeit in the form of satire, in the video I linked.
http://queue.acm.org/detail.cfm?id=2716278
tl;dr the “members” of the IETF group deciding on this were heavily influenced by ISPs and hardware manufacturers notable for including backdoors in their products
