Re: DANE and DNSSEC, was Microsoft deems all DigiNotar

["John Levine" <johnl () iecc com>]

In article <CAJNn=DNMrGC42i4Q_Wjvz-i9uV_4w1YnfM8vcX4g_wnXLoT=vA () mail gmail com> you write:
> Except that this just shifts the burden of trust on to DNSSEC, which also
> necessitates a central authority of 'trust'.  Unless there's an explicitly
> more secure way of storing DNSSEC private keys, this just moves the bullseye
> from CAs to DNSSEC signers.

It does, but it also limits the damage.  If you lose your DNSSEC key,
bad guys can forge names below you in the DNS tree.  If you lose your
CA key, bad guys can forge any name they want.

Or to look at it another way, if I put effort into securing my own
DNS, and I am careful about the providers above me in the tree, I can
limit the chance of DNSSEC compromise.  With SSL, it doesn't matter
what I do, I'm always at the mercy of the next Diginotar.

R's,
John