Slashdot Mirror
DNSSEC: Good Enough?
Phil Windley writes "DNS Security Extension, or DNSSEC, is a set of extensions to DNS, which provide end-to-end authenticity and integrity. Paul Mockapetris, the inventor of DNS believes DNSSEC is the answer to many of the identity problems on the Internet. He wants the IETF to get off the dime and approve the DNSSEC spec. A recent article in ZDNet TechUpdate interviews Mockapertis on DNSSEC (summary)."
is it possible for the Slashdot collective to come up with another one?
Not a chance. The slashdot collective taken as a whole, is a very stupid group of people. Even the few intelligent people wouldn't be able to get anything useful done because they'd be shouted down by the teaming masses of idiots.
We hate Sony's recording arm, but we'll sell our souls to them for the next cool gadget. We hate MS, but 90% of us use windows on our main home machine. No to mention all the idiots who use words like boxen.
I wish people would stop inviting rate increases or new charges as an answer to spam. It's not the answer. It might be inexpensive for you, but many of us DO send a lot of email and it'd get expensive really quick. You'd get rid of a lot of good and valid email communication along with the spam.
I'm even opposed to the "pay a dime, but I'll give it back if I wanted to hear from you" approach. Those of us running a mailing list would run the risk of having some idiot sign-up a bunch of accounts only to have that person say "No, I didn't want that" and collect the money.
I believe we need a trusted protocol. This might be as simple as having all emails PGP signed and everything else being sent to the bit-bucket (if you want to be aggressive) or only passed through to the user if the unsigned message had an extremely low spam score.
But if everyone were to use Bayesian I swear we wouldn't even have to propose a new protocol, talk about new legislation, etc.
*SIGH*
It's hard take a recommmendation from the inventor to seriously.
The Trust pyramid is the kicker, it seems these things fall into the hands of the untrustworthy. Almost analogous to the handling of domain names.
Whoever is at the top should be non-profit and transparent.
Haven't we posted long enough about how none of us want anymore info on positively identifying ourselves online, and now this comes along? What is it we want, total invasion on knowledge of our whereabouts, or ability to be anonymous?
Personally, I have always seen identity confirmation problems as a software issue, rather than a protocoll one.
Rather than relying on the protocoll to identify the source of communications, either working off some non-protocoll-related trust basis (ie, dont just MD4 your IP or something) for pre-established communications. Or for first-contact type situations, agreeing on some type of communication security.
I do not see these types of problems as the sort of problems lower level protocolls should be addressing.
paul reinheimer
Yes, DNSSEC is unfinished. The IETF has become worse than ISO.
DNSSEC would provide an increase in security if DNS spoofing attacks become more prevalent. Given tools now available (dnspoof, for one), such attacks are likely to increase in the future.
Bernstein takes a simplistic and operationally insane approach in his proposal. Also, it won't work as he describes it.
Of course, bernstein-ites will now froth at the mouth. So it goes.
in my experience, djb's stuff has always been interesting. He has good ideas about things, and they work nicely, but his implementations are just wacky. Don't get me wrong, I use a lot of it (qmail and daemontools, namely), but the way it fits together, and the way he does things.. it's out there. qmail in particular.. there's like 30 programs messages run through on their way.
Although I use daemontools, in order to change pathnames (since I wanted to put it in it's own path), I had to manually change a whole bunch of things hardcoded in the source. His build system is also very cooky.. it works, it's just totally different from the way you compile anything else and thus takes a lot of learning to figure it out.
I've never tried his DNS implementation, but I've heard it works nicely.
Speak before you think
Is he living on the same earth we do? It's going to be a long time before manually enterable -- and verifiable -- hostnames become redundant (if they ever do).
Ever watch end users? I mean, really watch end users? They almost never type in domain names. If it isn't a link or a bookmark, it seldom gets visited. Some of the brighter ones will go to Google and type a domain name into the search box (which exasperates me to no end -- "Location bar? What's that?"), but that's it.
The only time most end users type a domain name is as part of an email address. And I think we can all agree that the existing email infrastructure is in desperate need of a complete overhaul. (We can all probably agree that's as likely as "non-partisan" hearings in Congress, too.)
Not that Bernstein's proposed solution is all that great, but it's not as far-fetched as it seems at first blush.
Proud member of the Weirdo-American community.
Your point is rather interesting, if it is true. A rapid deployment of a system that defeats spam would mask its invasion of privacy leaving the public ignorant and there would be commercial and government spying on posts in forums like these.
That is if, and a big if, it tags everyone. I don't understand it all myself.
Hopefully if it actually tags everyone, there will be a public outcry similar to the RFID complaints when Walmart tried to implement them. Maybe calling up such a privacy group like the one that complained about Walmart would be an excellent thing to do.
This stuff is straight out of the book 1984. That prophetic book of the perils of technology has been in the minds of many lately. Unless people all across the world view invasion of privacy like taking away their civil rights, then nothing will happen. Microsoft and others like this company will strip away every right we have under the umbrella of "beneficial" technology. Businesses and governments will take advantage of such technology and know everything about a person. If a political or commercial figure doesn't like a citizen of his country that person would lose his job, his fame, his wealth, his friends or even his life.
When this happens, we will all be saying "I told you so!" but it may be be too late. Privacy then will be like a civil rights movement. There are many things I can say that might take place then, but I cannot say all of them. All I can say is that governments need to act now or risk losing public confidence. When public confidence erodes, so will the government. It is not wise for a government to have its people live in fear. Those type of governments have a history of being overthrown.
Now I've dragged on awhile about privacy, but if there is no invasion of privacy from this technology then I say "Go for it!"
Um, I hate to break it to you, but we -- you and me -- are end-users. I'm certainly not going to accept a `standard' that works only for the mouth-breathing (and windows-using) set.
We live, as we dream -- alone....
He basically proposes only allowing a form of hostname which is (1) too long to type manually, and (2) includes long random-looking strings. His justification for this is `users seem to do alright with bookmarks, and as soon as everything is links, no problem!'
As if DNS was only used to browse the web. What about ssh, ftp, mail, all these things that use hand-typed hostnames ?
blah