[Trans] DNSSEC also needs CT

Nico Williams <nico@cryptonector.com> Fri, 09 May 2014 21:31 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 6B7CD1A00EC for <trans@ietfa.amsl.com>; Fri, 9 May 2014 14:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id XqYndxus8MpR for <trans@ietfa.amsl.com>; Fri, 9 May 2014 14:31:30 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (sub4.mail.dreamhost.com []) by ietfa.amsl.com (Postfix) with ESMTP id C28E61A00D8 for <trans@ietf.org>; Fri, 9 May 2014 14:31:30 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (localhost []) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTP id 51D872007F109 for <trans@ietf.org>; Fri, 9 May 2014 14:31:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:content-type; s= cryptonector.com; bh=31JXLBJ6jSMBaCCn5zoOGkD0qAs=; b=tKN9kTln6c3 cMSqgPKonasW0rLVkQzutzXbGk9w6bIfGCpLXoMchy9MJ0ra3Dvj+2o7VMJoTtOd troYh5UYTiCusxOHtbuLuyaFx0I7gR1H7aHofuRxAm4SkBSDqqeRTvlMSE/7Dk5h d2k+3VrD7wa98s191l2UgsGxt/2fh3wo=
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTPSA id 079D42007F10B for <trans@ietf.org>; Fri, 9 May 2014 14:31:24 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id m15so4602983wgh.32 for <trans@ietf.org>; Fri, 09 May 2014 14:31:23 -0700 (PDT)
MIME-Version: 1.0
X-Received: by with SMTP id fr11mr3494290wjc.70.1399671083737; Fri, 09 May 2014 14:31:23 -0700 (PDT)
Received: by with HTTP; Fri, 9 May 2014 14:31:23 -0700 (PDT)
Date: Fri, 09 May 2014 16:31:23 -0500
Message-ID: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: trans@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/MzKKnPN96N48DVDeNaWMB-oWWvA
Subject: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 May 2014 21:31:31 -0000

DNSSEC is a PKI [of sorts; please, no need to pick nits about that].

It stands to reason that DNSSEC should have similar trust problems as
PKIX.  I believe it does indeed.

It follows that things like CT that we're applying to PKIX should be
applied to DNSSEC as well, where possible.

I don't see any reason why CT couldn't be extended to DNSSEC.  IMO, it
should be done.

Note that DNSSEC needs CT independently of protocols like DANE, but
any protocol that allows a DNSSEC MITM to bypass PKIX CT (as DANE
effectively does) should increase the need for CT for DNSSEC.

Note too that I'm not in any way saying that DANE and similar should
block on CT for DNSSEC.