Insert Public Keys in DNS

Story: HTTPS Certificate Revocation is broken, and it's time for some new toolsTotal Replies: 0
Author Content

Jul 04, 2017
9:56 AM EDT

DKIM works this way.... and DKIM along with DNSSEC provides DNS root level security of email servers. The same could easily be implemented with TLS...

It's almost there.

As indicated in the article CAA is a DNS record specifying the CA. There's actually zero difference from a security perspective to simply insert the public key for the server in DNS.

If instead of listing a CA in DNS, the domain owner created a public/private key and inserted the public key in DNS... then CAs go away entirely. Therefore there would be no problem with rogue CAs, because the domain owner would have full control and responsibility over the TLS public/private key. This would also allow key agnostic systems. PGP keys could be used as well as x509 systems.

We'll see if the 'security community' realizes the better solution... but some of my tech managers in prior work experiences were fond of saying that:

"Managing engineers is like herding cats."

So, it may be a long time before the 'experts' realize the better solution to TLS key assurance.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!