Why no DNSSEC? (still)


#1

I’ve read the previous discussions…
But they did not seem to come to any final conclusion nor reasoning.
So, is there a reason why LetsEncrypt.org is not using DNSSEC?

No DNS CAA either…


#2

OMG, they’re using a self-signed certificate too! :wink:


#3

I thought this question was odd the first time I read it.
What has LetsEncryot got to do with DNSSEC?

DNSSEC is a function of the DNS service.
First you create your DNSSEC keys then you add them to the subdomains zone file as a TXT records.
Then of course you add the public DNSSEC keys to the registry via your registrar.

This has nothing to do with LetsEncrypt unless you know something about DNSSEC that I don’t.


#4

@ITI, I think @rg305 wishes that Let’s Encrypt would sign its own domain letsencrypt.org with DNSSEC, not that Let’s Encrypt would somehow offer DNSSEC services to other people.


#5

The key word being “using” - not providing.


#6

Well that makes a lot more sense.
Thanks guys.

So why aren’t they !


#7

if you do a quick whois, you’ll see the domain is registered through enom.

if you look up dnssec+enom, enom doesn’t support dnssec administering by automated means. it must be manually handled via support tickets.

for a lot of companies and people, that is a dealbreaker. if you need to adjust dns infrastructure to deal with an outage, migration or other concern, you become blocked by a bottleneck in not being able to fully administer the dns records yourself and have a guaranteed downtime.

the ISRG staff may have other reasons, but that is the most common one I know of. migrating registrars and dns systems is also often a pain in a corporate setting for many reasons.


#8

Even if they did sign letsencrypt.org, most of the services reference unsigned external domains. It would have limited impact.

letsencrypt.org.                            (unsigned)  3600   MX     1 aspmx.l.google.com.
letsencrypt.org.                            (unsigned)  3600   MX     5 alt1.aspmx.l.google.com.
letsencrypt.org.                            (unsigned)  3600   MX     5 alt2.aspmx.l.google.com.
letsencrypt.org.                            (unsigned)  3600   MX     10 aspmx2.googlemail.com.
letsencrypt.org.                            (unsigned)  3600   MX     10 aspmx3.googlemail.com.

acme-v02.api.letsencrypt.org.               (unsigned)  7200   CNAME  api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net.         (unsigned)  18211  CNAME  e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net.                 (unsigned)  20     A      104.92.3.37
e14990.dscx.akamaiedge.net.                 (unsigned)  20     AAAA   2600:1402:a:184::3a8e
e14990.dscx.akamaiedge.net.                 (unsigned)  20     AAAA   2600:1402:a:186::3a8e

community.letsencrypt.org.                  (unsigned)  7200   CNAME  hosted-vh2.discourse.org.
hosted-vh2.discourse.org.                   (unsigned)  120    A      64.71.168.201
hosted-vh2.discourse.org.                   (unsigned)  120    AAAA   2001:470:1:3a8::201

ocsp.int-x3.letsencrypt.org.                (unsigned)  332    CNAME  ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net.  (unsigned)  3332   CNAME  a771.dscq.akamai.net.
a771.dscq.akamai.net.                       (unsigned)  20     A      23.219.162.168
a771.dscq.akamai.net.                       (unsigned)  20     A      23.219.162.170
a771.dscq.akamai.net.                       (unsigned)  20     AAAA   2600:1402:a::b81a:8e33
a771.dscq.akamai.net.                       (unsigned)  20     AAAA   2600:1402:a::b81a:8e58

#9

That amounts to “Well, since no one else is doing it… Why should I? What difference would it make?”
We should all be the first one that does; and set the example for the rest to follow.


#10

That’s not quite what @mnordhoff was saying.

If http://letsencrypt.org redirected to https://letsencrypt.org but then to http://www.letsencrypt.org that wouldn’t be very useful, would it?

Providing a CNAME from a signed zone to an unsigned zone is the DNSSEC equivalent of redirecting HTTPS to HTTP. It doesn’t buy you a whole lot of security.


#11

That is very true.

But now that is sounding a lot like what I was inferring…
Why should I sign my zone if no one else is?
And the answer to that is…

In short, don’t worry (nor follow) what anyone else or everyone else is doing.
Just do what you know to be right.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.