Author: phantomcircuit 2011-07-26 16:32:17
Published on: 2011-07-26T16:32:17+00:00
The discussion is about the security implications of using DNSSEC for Bitcoin address communication. Matt Corallo thinks that DNS resolution is far simpler to implement than properly checking the HTTPS certificate chain. Rick Wesson stated that most OSes don't have a mechanism to require the zone queried is DNSSEC signed meaning you have to implement a full DNS resolver in Bitcoin in order for it to be secure. He also mentioned that the same attack can apply to HTTPS with a self-signed cert where it is the A record that is replaced by the attacker and the HTTPS request is sent to evil.com's server which responds to the request with an answer in the form you expect. Matt Corallo responded that if you are using a self-signed cert to do any kind of important data transfer you are just being stupid. Windows has supported DNSSEC since 2008 as have most of the Unix variants, Mac OSX since 10.3 Android also seems to include DNSSEC capable resolvers. However, Matt Corallo believes that DNS-based resolving is not a good idea here and thinks that HTTPS does have several advantages over a DNSSEC-based solution without any significant drawbacks. The thread is specifically about the security implications of using DNSSEC for Bitcoin address communication. Rick Wesson suggested moving the thread to a more appropriate forum for discussing how applications leverage DNS security extensions. He stated that its taken some years to get the specs done and the root signed, he expects it to take many more to enable the applications to leverage the deployed infrastructure. Matt Corallo agreed that remembering and communicating a Bitcoin address are current limiting factors in the acceptance and deployment of this software. His goal is for a simpler user experience.
Updated on: 2023-05-26T19:37:20.943257+00:00