[AusNOG] Lets Encrypt

Mark Andrews marka at isc.org
Wed Nov 19 11:52:56 EST 2014


In message <20141119001623.GT5614 at hezmatt.org>, Matt Palmer writes:
> On Wed, Nov 19, 2014 at 11:01:30AM +1100, Mark Andrews wrote:
> > 
> > In message <20141118234925.GS5614 at hezmatt.org>, Matt Palmer writes:
> > > On Wed, Nov 19, 2014 at 09:34:04AM +1000, Ernie wrote:
> > > > https://letsencrypt.org/
> > > > 
> > > > My question is, will this screw up companies like Verisign/Thawte 
> sales?
> > > 
> > > Not much, if any.  People who want cheap/free certs already, for the 
> most
> > > part, know where to get them from.  The more "premium" brands make 
> their
> > > money via the brand, offering insurance (as much of a crock as it is),
> > > higher-validation (OV/EV) certificates, and other signalling effects 
> that
> > > are unrelated to the *technical* product being offered.
> > > 
> > > That being said, Let's Encrypt is a *great* initiative, and I'm 100% 
> behind
> > > it.  Making certificate issuance easier (to the point of being 
> entirely
> > > automated) via the ACME protocol will massively reduce the barrier to 
> TLS
> > > deployment, which can only serve to benefit the confidentiality of 
> traffic
> > > on the Internet.
> > 
> > Or we could just deploy DANE and not require a CA to issue CERTs.
> 
> That'll always be the dream... given how much of a shitfight it is to get
> IPv6 deployed, when there's a real Oh Shit moment coming for IPv4, I have 
> my
> doubts that DNSSEC is ever going to really get the widespread deployment
> needed to make DANE practical.  Without it being something that servers 
> can
> roll out, clients won't support it (for example, the Chrome people aren't
> fans, for various understandable reasons), and so it goes nowhere.

DNSSEC is widely deployed at the root/tld level.  There are 749
zones with 557 secure delegations from the root zone.  569 TLD zones
have DNSKEY records.

Chrome is one web browser.  There are plugins for DANE suppport for
many browsers today.  Your MTA probably has DANE support available
today.  TLSA records are supported by the major nameserver vendors.
DNSSEC is supported by the major nameserver vendors.  DNSSEC is
supported by Google on the public recursive servers.  There are
measurments that put validation at over 60% of all DNS results have
been validated.

That means you can most probably publish a signed TLSA record today
if you want to.  That the answer is likely to be validated at least
once on the way to the application.

The only thing really stopping DANE deployment is nay sayers.

> Don't get me wrong -- I think DANE's great, and all my domains are
> DNSSEC-enabled, so I'm drinking the koolaid, but at the same time the
> realist in me says that letsencrypt.org is going to do a lot more for
> Internet security than DANE will, in the next... oooh, probably decade or
> so.
> 
> > According to 
> http://www.auda.org.au/industry-information/au-domains/dnssec/
> > the DS records for AU should have been added to the root zone back on 
> 28th
> > of October.
> 
> "Should" being the operative word there:
> 
>     http://dnssec-debugger.verisignlabs.com/com.au
> 
> - Matt
> 
> -- 
> You know you have a distributed system when the crash of a computer youve
> never heard of stops you from getting any work done.
> 		-- Leslie Lamport "Security Engineering: A Guide to 
> Building
> 		   Dependable Distributed Systems"
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the AusNOG mailing list