New IAB Chair Defends DNSSEC

bednarz writes "Olaf Kolkman, the new chair of the Internet Architecture Board, says that DNSSEC — an approach to authenticating DNS traffic that has been slow to take off — is not a failure. 'It is taking a while to percolate into software, and for that software to percolate into the market, and for people to adapt their environments to deploy and operate DNSSEC. The deployment is hindered by a chicken-and-egg problem'."

If DNSSEC Is Success, What Does Failure Look Like?

[tqbf]

Nothing about DNSSEC has improved since wrote about it last year:

• The current "standard" (RFC2535) remains "dead and buried" according to DNS pater familias Paul Vixie
• Nobody even knows what problem DNSSEC is meant to solve, and why it's worth deploying in a world with pervasive TLS
• It's a nightmare to deploy, both for administrators and for software developers who have to handle things like precomputing tens of thousands of expensive signatures
• The only reference implementation of the protocol is BIND, the second-least-trusted piece of open source code on the Internet.

DNSSEC is a huge waste of time. For a fraction of the effort, we could have pervasive opportunistic VPN-style connections. Or we could clean up the mess of insecure code that currently provides our core infrastructure. Or a unified standard secure email transport based on GPG/PGP. Or a concerted effort to solve the cross-site scripting problem. You could come up with a way to secure and authenticate the AOL OSCAR IM protocol and still do more good than DNSSEC ever will.

Of course, the IETF people will never admit this. The IETF types used to define themselves by making fun of the OSI X-standards people; "rough consensus and working code!". The Internet won, CLNP lost. Where do you think all those standards bureaucrats you made fun of in the OSI groups went? That's right; to IETF working groups.