Tag Archives: DNSSEC

Revocation Lists and the Future of X.509

Geoff Huston from APNIC talked at the RIPE 84 about certificate revocation as a “sanction”. He concludes that the certificate infrastructure is not working, and instead suggests DNS is the answer. You can put keys in the DNS and use TTL to control the caching lag of the information.


How do you see it? What conclusions should we draw from this at CAcert? Write your comment below!

CAcert fingerprints via DNSSEC

Recently we got several questions about automated installers for our certificates. While the new ca-cacert package in Debian Testing is a nice way for a verified installation it isn’t perfect. One issue is the initial download of the certificates when the source package is built by the maintainer; the second issue is that not everybody is using Debian.

As for a long time there was no way to automate the check of the trust anchor with tools you already have we used cryptography to make it work: DNSSEC. While you can’t directly download the certificates directly from DNS – the information would be to huge and hardly manageable – you still get enough information to bootstrap the verification from DNS. All you need is a way to query and validate TXT RRs from DNS, a way to download files via HTTP and a way to calculate some hashes.

The information about the fingerprints is stored in the DNS zone _fp.cacert.org – the underscore indicates non-host information. For each generation of root certificates a new sub-directory will be created. The current one is “g1”. To list all available certificates of a specific generation you can query the label _certs for that sub-directory given a DNS query for _certs.g1._fp.cacert.org yielding the two names “root class3” as the certificates. Each of those references in turn provides both an URL (“_url”) and a set of fingerprints (_md5, _sha1, _sha256) needed for the verified download of that certificate. To download the current (g1) root certificate you’d thus look for the download URL at _url.root.g1._fp.cacert.org and verify the SHA2-256 fingerprint given at _sha256.root.g1._fp.cacert.org. Fingerprints are always uppercase and without any delimiters.

For further technical details have a look into the Wiki [1]

[1] https://wiki.cacert.org/HowToDocuments/FingerprintsViaDNSSEC