How secure does NextDNS treat its root CA secrets internally?
In general, I trust NextDNS immensely! But installing and trusting a new root CA is a whole new level of trust. With it, someone could completely MITM all my traffic/passwords/secrets.
I don’t have any specific doubts, but I would love it if NextDNS had a page somewhere explaining NextDNS’s internal security policies and procedures around its handling of its root CA. Among other things. You’ll see similar pages or white papers on big sites meant to assuage the worries of nervous CSOs.
Some basic questions:
- How is root CA secret security handled and what are the internal polices around use?
- Does NextDNS have any security certifications that includes its handling of the root CA secret? (I’m skeptical of security certifications overall, but they can’t hurt)
- Is there a single root-of-root CA somewhere with a secret that would enable anyone to spoof certificates for any NextDNS customers that trust the root CA? Or is a new one generated for every client? Are they stored in a particularly security sensitive way separated from other not-quite-as-sensitive customer data? And I’m assuming all internal access to these secrets have an unavoidable audit trail?
- Any cool internal policies around how the root CA secrets are accessed? Like are they stored in some cool encrypted way that requires the keys of n employees to come together to access it?
- Where is the root CA secret (or secrets) physically stored? I LOVE that NextDNS lets me choose the physical location where my DNS logs are stored. Curious if there’s any similar arrangement for the root CA secrets. (For example, storing my logs in Switzerland might prevent a US court from compelling NextDNS to hand over my logs, but if the secret for the root CA I’m trusting is stored in the US that reduces some protection. Not that I have any particular worry about this. I’ve never even heard of court order compelling that)
Thanks for reading!
Edit: I realize now that when you download the NextDNS CA everyone gets the same one. So that already answers my question about around if a single root CA secret exists for all customers. It does.