Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Tell Feds To Sign the DNS Root ASAP

Posted by kdawson on from the digital-john-hancock dept.

alphadogg sends along news that the US National Telecommunications and Information Administration has gotten plenty of feedback on its call for comments on securing the root zone using DNSSEC. The comment period closed yesterday, and more than 30 network and security experts urged the NTIA to implement DNSSEC stat. There were a couple of dissenting voices and a couple of trolls.

4 of 147 comments (clear)

  1. Re:Why bother? For a CHEAP PKI... by ObsessiveMathsFreak · · Score: 5, Insightful

    Congratulation! You've just explained why the DNSSEC will never be implemented on the root server.

    --
    May the Maths Be with you!
  2. Why would the establishment prefer DNSSEC by Burz · · Score: 4, Insightful

    ...over ubiquitous use of SSL?

    Almost all of the extra overhead for crypto and/or signing is in processing the initial public key. So DNSSEC seems to make our systems work about as hard, without the benefit of encrypted data.

    OTOH, having an Internet trend set in with most servers switching to SSL (i.e. HTTPS, etc) keeps the government (and corps providing its "security" snooping services) from profiling people based on their everyday choices of art, books, and ways of socializing. It takes ISPs out of the loop as far as acting as surrogate cops snooping on peoples' data.

    If I wanted to further a police surveillance state, I would try to set a trend with DNSSEC instead of a different public key scheme that provides encryption along with verification for the same price... especially if the tools to implement the latter were already on everyone's system waiting to be fully used.

  3. Probably means you pay more actually. by TheLink · · Score: 5, Insightful

    Uh it's just a way for CAs to make money _twice_ (or more times).

    You'll still need CAs.

    How does DNSSEC stop the browser from giving Joe User a warning box that the https cert is not signed by a recognized CA?

    That's the only real reason why you pay CAs to sign your certs - to stop Joe User from being bothered it.

    That CA signing bullshit is little to do with security. Because the last I checked:

    1) nobody really goes through all the CAs bundled with their browser and says: "Yes I trust this CA, no I don't so I'll delete this". There are tons, do you know who they are and how trustworthy they really are? Do you really care? No all you care is that you don't get that warning.
    2) Verisign has proven that they voluntarily do dubious stuff and they've even misissued Microsoft certs (go look under Untrusted Publishers in IE's list of certs ;) ), and yet people _will_ leave the Verisign root certs in - because all you care is you don't that get warning.
    3) Do browser makers actually remove CAs who don't comply to some standard? Do they even have some meaningful standard in terms of security?
    4) AFAIK browsers don't warn you if the a valid cert changes to a different valid cert (even if it is signed by a different CA).

    As you can see, they're not really safer than self-signed certs. To me browsers should do that SSH thing and warn you if the cert has changed (whether it's self-signed or CA signed).

    In that light, forgive me if I'm not convinced that DNSSEC is really going to make things more secure :).

    It'll just be more of the same. One more way for Verisign and gang to make money for making people feel safe.

    --
  4. Re:Trolls equal... by ceoyoyo · · Score: 4, Insightful

    Omit your second reason and I'll give you your definition. Taking an unusual viewpoint to spark debate is highly useful.

    I used to have a roommate who was doing a degree in social work. She came home one day gushing about the great debate they'd had. Everyone agreed! That's not a debate. That's a love-in badly in need of a skeptic (otherwise known as a shit-disturber).