On Tue 12/Mar/2024 17:24:08 +0100 David Conrad wrote:
On Mar 12, 2024, at 1:57 AM, Alessandro Vesely <ves...@tana.it> wrote:
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead
won the hype.
I figure enabling DNSSEC validation everywhere and signing what makes sense
after doing a cost/benefit trade off would be the rational way to go. As
signing technologies get more mature, the cost goes down and even the marginal
benefit of signing everything would be justified.
Right, and I'd guess the number of operators involved in switching to DNSSEC is
less than that for HTTPS.
Being sure to connect to the IP designated by the
domain is essential, while encrypting every page of sites like, say,
wikipedia is just wasting cycles.
As Randy points out, TLS also gives you authentication (as long as you trust
the myriad CAs) and with more granularity than the IP address.
Right, and let's note that the chain of trust is hierarchical for DNSSEC, which
makes for a clear cut PKI. HTTPS certificate are based on browser/ system/
distro/ user policy choices, a rather hazy infrastructure.
On wasting cycles, if you only encrypt the sensitive stuff, you give away the
fact that you’re communicating sensitive stuff when you encrypt.
However, I suspect this isn’t particularly in the charter of this mailing list…
Well, the OP topic is DNSSEC and _Resource_ Public Key Infrastructure (RPKI),
which is similar in principle to the domain based hierarchy of DNSSEC.
Best
Ale
--
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
