[nsd-users] DANE and static key pinning
Michael A. Peters
mpeters at domblogger.net
Sun Oct 29 00:17:38 UTC 2017
Off topic for NSD but having a discussion on Twitter related to Google's
announcement that HPKP and static key pinning is being removed from Chrome.
I'm a big fan of DNSSEC and DANE and it is my *opinion* that a
self-signed cert with a TLSA record is more secure than a CA cert
without a TLSA record. I say opinion because I am not aware of any peer
I use both - CA cert and TLSA - but that's because no browser is
comfortable without a CA cert.
The point was brought up that DANE doesn't support static key pinning,
and thus is always vulnerable to a DNSSEC key being compromised in the
chain above your zone.
An idea to fix that, it would require someone who is in the academic
circles to write something up and that's not me.
Static DS records that browsers could include.
If a zone has a static DS record with the browser, then the security of
signing keys up the chain doesn't matter. Either you zone's DNSSEC
responses validate with that static DS record or it doesn't validate.
There even could be an option for EV level of validation with the
browsers so that companies who choose to validate could have their
static DS records in the browsers flagged as super duper secure or whatever.
I personally would not use static DS records for any of my zones, but I
could understand it being valuable to many companies (e.g. banks,
hospitals, etc.) that are likely targets of MITM attacks.
Whether there is merit to the concept of static DS records in browsers
or not - hopefully a DNSSEC / security on this list will determine it.
I'm no guru, just a user, so I don't feel qualified to argue points for
it, but I did think the idea was worth disclosing.
Thank you for your time.
More information about the nsd-users