[nsd-users] DANE and static key pinning

Michael A. Peters mpeters at domblogger.net
Sun Oct 29 00:17:38 UTC 2017

Off topic for NSD but having a discussion on Twitter related to Google's 
announcement that HPKP and static key pinning is being removed from Chrome.

I'm a big fan of DNSSEC and DANE and it is my *opinion* that a 
self-signed cert with a TLSA record is more secure than a CA cert 
without a TLSA record. I say opinion because I am not aware of any peer 
reviewed research.

I use both - CA cert and TLSA - but that's because no browser is 
comfortable without a CA cert.

The point was brought up that DANE doesn't support static key pinning, 
and thus is always vulnerable to a DNSSEC key being compromised in the 
chain above your zone.

An idea to fix that, it would require someone who is in the academic 
circles to write something up and that's not me.

Static DS records that browsers could include.

If a zone has a static DS record with the browser, then the security of 
signing keys up the chain doesn't matter. Either you zone's DNSSEC 
responses validate with that static DS record or it doesn't validate.

There even could be an option for EV level of validation with the 
browsers so that companies who choose to validate could have their 
static DS records in the browsers flagged as super duper secure or whatever.

I personally would not use static DS records for any of my zones, but I 
could understand it being valuable to many companies (e.g. banks, 
hospitals, etc.) that are likely targets of MITM attacks.

Whether there is merit to the concept of static DS records in browsers 
or not - hopefully a DNSSEC / security on this list will determine it. 
I'm no guru, just a user, so I don't feel qualified to argue points for 
it, but I did think the idea was worth disclosing.

Thank you for your time.

More information about the nsd-users mailing list