top | item 42192092

(no title)

With DNSSEC you can be certain that the response you got was issued by the nameserver that is claimed (well, by someone who owns the private key). The domain owner, and registrar can both be at fault, the CA is the last entity to blame because they are performing an automated check of domain ownership. For maximum security you'd want to buy your own TLD as my YT video talks about, to circumvent any other registries, registry wholesalers, and registrars' security models, but an adequate protection for most is to use registry/registrar lock and implement DNSSEC correctly. IP hijack will then not work when all of the above is done correctly.

Another option is manual certificate issuance with a CA whose security model is better than yours, but not implementing DNSSEC leaves you open to other attacks.

discuss

tptacek|1 year ago

Misissuance from direct DNS spoofing basically never happens. When the DNS is used to misissue a certificate, what has normally happened is a registrar account has been phished. Direct DNS spoofing is an exotic attack. Further: DNSSEC has only a partial fix for it, and the WebPKI has non-DNS-dependent mitigations (most obviously CT, but also multi-perspective DNS lookup, which is apparently going to be a BR next year).

Generally speaking, setting up DNSSEC is probably a bad move for most sites.

ta1243|1 year ago

CT is great, but you do need to look for certificates issues for your domains