Writing on the Imperial Violet blog, Google’ Chrome engineer Adam Langley recently looked at transport layer security (TLS) and DNSSEC. He noted:
Ever since the DNS root was signed on July 15th, quite a few people have been wondering about the interaction of TLS and DNSSEC. On the one hand, trust in the CA system is lukewarm but, on the other, the deployment issues with getting DNSSEC to the client seem immense.
Those who saw Dan Kaminsky’s talk at BlackHat, which included a patched version of Chromium performing DNSSEC validation, have probably already guessed that Dan, myself and others have been working on this problem. In this blog post I’m going to try to explain the design space as I see it….In the long term, we want a stronger foundation of trust for the Internet. This means both pairing back the power of the 1500 root certificates and making TLS easier to deploy and thus more commonly used. So one of the goals is to serve sites which currently don’t have a CA signed certificate. We can do that by allowing them to publish fingerprints in DNS and having browsers accept those (DNSSEC secured) fingerprints.
The post considers several questions related to encoding the data, including:
- What type of record and where to put it
- Handling clients without DNSSEC resolution capability
- Fingerprints in records
- What to hash
- Whether to include a flag to perform CA validation
- TLS extensions