Re: [Trans] DNSSEC also needs CT

Paul Wouters <> Thu, 22 May 2014 17:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 873BA1A026C for <>; Thu, 22 May 2014 10:55:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AZxwxc0EK4-6 for <>; Thu, 22 May 2014 10:54:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 200FC1A0289 for <>; Thu, 22 May 2014 10:54:56 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5B1FB802BF; Thu, 22 May 2014 13:54:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1400781294; bh=dm4Cl97q0zS0HhsslwZawqAybGUJnxM8suRXtlHuZDY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=LpOWQn/r0xZLYxupyNIqMGcESIIwG+Bnjgdk4kJpGwVbvm06rgHPd5qohZLPYAABT rihMjh+ZjmyER6dVCKBvMjYUusieLczb4kuvHgQNTypJgxSMaam3tImLRQyNEPcrkQ Sn4m/Pfi6X1mRVsnQVewO7ZMRx+J3Ezj7uQwzYjA=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id s4MHsrT1006830; Thu, 22 May 2014 13:54:54 -0400
X-Authentication-Warning: paul owned process doing -bs
Date: Thu, 22 May 2014 13:54:53 -0400
From: Paul Wouters <>
To: "Osterweil, Eric" <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "" <>
Subject: Re: [Trans] DNSSEC also needs CT
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 May 2014 17:55:10 -0000

On Thu, 22 May 2014, Osterweil, Eric wrote:

> Without implying an presumption of expertise on DNS, I would argue that DNSSEC avoids the problems CT seems to be trying to solve by coupling its key learning (and verification) methods to the hierarchical namespace.  As Steve said (I believe) PKIX != Web PKI, and the problems addressed by CT seem to be focused more on the latter.  I don't think there is a key learning/verification dilemma in DNSSEC that CT is appropriate for.

There are some very visible and vocal people that have rejected DNSSEC
flat out because it can be circumvented or co-erced by the higher up
parental zones. They have an inherent distrust of the US Government,
Verisign, ICANN, etc. In fact, they are often trying to replace the
DNS with some peer-to-peer type solution for this very reason. I see
CT-DNSSEC as a way to address that concern, and get those people onboard
for DNS with DNSSEC security without the need for an alternative to DNS.