I appreciate how Let's Encrypt made the Internet much safer!
I just have one question. From the RFC 8555, Let's Encrypt recommends (though not required) protecting a site under DNSSEC and allowing a Certificate Authority to validate RRSIG records prior to issuing a certificate.
If RFC 9364 declares it best practice...how come most websites do not protect their website under it. Even letsencrypt.org does not protect its own site under DNSSEC? How come Let's Encrypt does not work on an ACME-like protocol for the automated deployment and maintenance of DNSSEC? What hurdles do organizations face in deploying it that discourage them from deploying it?
Hey mcpherrinm. Thanks for the article. I took a look.
I found a great article explaining the benefits of DNSSEC by Technitium. It does attempt to refute the claims in the "Against DNSSEC" article. What would be your thoughts on that:
That seems like a reasonable counterpoint, especially the point about SMTP being a bad protocol and DANE might help fix it
I don't think DANE has a reasonable path to replacing the WebPKI in the next decade. It might help SMTP.
DNSSEC does help other things, like providing better authenticity for domain validation for CAs like Let's Encrypt, which is why we require valid DNSSEC for all our DNS lookups. It isn't an easy technology to deploy, though, and that's evidenced by its low adoption.
Thanks for responding! Its great that Let's Encrypt requires valid DNSSEC for all our DNS lookups. I have been worried that most sites do not protect their sites under DNSSEC even though DNSSEC debuted quite some time ago.
Since Let's Encrypt has experience with DNSSEC what would you say are the most common difficulties Let's Encrypt has seen people face in deploying it?
To be clear, Let's Encrypt will refuse to accept invalid DNSSEC signatures on domains, but it doesn't require users to use DNSSEC. They can also just not use it at all.
I think lack of integration with the various ways that people edit and update their DNS zones. They often do this with a web panel, or occasionally with a text editor, but the DNS signatures are often not generated automatically. We've seen people here who were frustrated when they made changes at some point that then invalidated their DNS zones and caused them to be rejected.
The best case for DNSSEC usability would be if signatures were automatically generated whenever people made any DNS updates of any kind, using whatever tools they use to make those updates.
This is a little harder to do when domain owners are managing their own DNSSEC keys (instead of having a hosting company or DNS registrar do this for them). Making this more convenient and reliable probably would also entail outsourcing it to the DNS host or DNS registrar.
Another way of saying this is that there isn't very much incentive because, for example, browsers don't show connections that involved a DNSSEC validation as more secure than connections that don't. That contrasts with HTTPS versus HTTP, where browsers do show HTTPS as more secure.
You can argue that the connection is actually more secure, regardless of whether people's browsers tell them it is. That can be true, but we don't see many people who are motivated to make an effort to combat active attacks against connections to their sites. For example, someone who cared about these attacks would probably want to monitor Certificate Transparency logs (to detect maliciously issued certificates that were created using DNS spoofing). Some site operators do monitor these, but most don't, at least when they don't have a specific reason to suspect an attack.
Thanks for the detailed responses from both of you! Really appreciate it.
It is strange that browser developers have decided to not support it although IETF considers it best practice.
schoen, you also made a good point that domain registrars expect domain owners to manage their own keys and signatures manually. It seems automating DNSSEC is the key to helping it become more adopted. I read a book on DNSSEC named DNSSEC Mastery by Micheal W Lucas. This book admitted the standardization of CDS and CDNSKEY records were important because they allowed nameservers to communicate with the Domain Registrar without having to rely on the Registrar's API. Lucas admits it is ideal that key rollovers are automated using such records yet for some reason domain registries have not picked up on the practice--Lucas admits only a handful of registries support the CDS and CDNSKEY records. I can only wonder why most domain registries did not allow the usage of the CDS and CDNSKEY records.
