Letsencrypt: A business case for DNSSEC

Letsencrypt has become a popular choice for small & medium domain owners on the Internet. The certificates are free. All you need to design & implement the infrastructure to support acquiring, renewing & revoking your SSL certificates. During the developer’s conference conference, I was explaining the ACME protocol to a number of developers in Mauritius. Something hit my mind during the presentation.

ACME was designed so that it would be a cost-effective way for people to validate their requests for a domain. If I tried to register an SSL certificate for google.mu, I should be owning the google.mu domain. Since this is not the case, such a request is rejected. ACME servers uses DNS as a possible validation step. To reduce the possibility of the DNS validation step being vulnerable, the IETF ACME draft recommends several mitigations including doing multiple DNS requests from different locations, or using DNS mitigation tricks. One of its recommended mitigations is DNSSEC.

With 1 Million of SSL certificates covering approximately 2.9 millions domains, letsencrypt is one of the critical internet service that can benefit from DNSSEC validation. DNSSEC provides a cryptographically signed response, which gives higher insurance that you indeed own a domain during the ACME challenge/response validation. Domain owners might consider enabling DNSSEC on their domains to increase the security of letsencrypt in their infrastructure for ACME, as there is a return on investment in terms of security.

DANE has long been thought as the “killer app” of DNSSEC. Personally, I see letsencrypt’s strong adoption as another pathway that could lead to more individuals and organizations adopting DNSSEC to strengthen their SSL enabled services with letsencrypt. What is quite interesting here, is that the typical letsencrypt adopter is small, and DNSSEC adoption among smaller players in the internet ecosystem would be an interesting case study.

(Views are my own)