[nsd-users] DANE and static key pinning

Paul Wouters paul at nohats.ca
Tue Oct 31 20:33:29 UTC 2017

On Sat, 28 Oct 2017, Michael A. Peters wrote:

> The point was brought up that DANE doesn't support static key pinning, and 
> thus is always vulnerable to a DNSSEC key being compromised in the chain 
> above your zone.

It does support that. If you run a local DNS resolver, and put a DS
record as trusted key in your local configuration, then any changes
upstream from that will be ignored.

So if you publish a TLSA record, which is signed by ZSK which is signed
by KSK that you defined in your local DNS server, then if the parent
key takes over the domain, and changes the key because they don't have
the private key of this zone, then your local DS record trust anchor
will mismatch the received DNSKEY and it wont be trusted and the data
becomes BOGUS and not given to the application.

And you know what the bonus is here? Everyone can have their own set
of static pins and don't have to trust google or mozilla or apple for
the set of static pins.

And, this even works with DNSSEC stappling as defined in

Even a compromiesd webserver won't override your pin, although it
does assume the browser can load your trust anchors from your disk,
or gives the dnssec chain to the local DNS server and then requeries
for the TLSA record instead of doing validation inline, but it kind
of has to do that anyway to support enterprise (split-DNS view) DNSSEC
chains in TLS.


More information about the nsd-users mailing list