0

Assuming that it's tough to get many government owned TLDs to cooperate to spoof DANE or DNSSec, would it be wise to publish the same certificate (different SAN names) to various TLDs?

For example:

  1. Company.com
  2. Company.cn
  3. CompanyAlias.ca
  4. AnotherAlias.co.uk

If the DANE or DNSSec spec was expanded to look for some kind of multinational validation policy then the client could self-query those 4 domains and create a simple distributed version of Convergence.

Would this provide a security benefit?

What am I overlooking?

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

1

If your website (for example) is on a TLD you do not trust, then many things can happen (like the registry could change the nameserver of your domain making your website unreachable) even if the underlying TLS certificate would list many SANs (I'm not sure how a CA would validate such a certificate, since it would have to gain proof of ownership for each separate SANs at the almost same time; but maybe you are thinking about the DANE case where you directly publish the certificate without later on needing CA validation).

Also, in all cases, you still depend from the DNS root key and management/governance, so if you do not trust DNSSEC, you have this point that is impossible to remove.

Patrick Mevzek
  • 1,748
  • 2
  • 10
  • 23