Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Tell Feds To Sign the DNS Root ASAP

Posted by kdawson on from the digital-john-hancock dept.

alphadogg sends along news that the US National Telecommunications and Information Administration has gotten plenty of feedback on its call for comments on securing the root zone using DNSSEC. The comment period closed yesterday, and more than 30 network and security experts urged the NTIA to implement DNSSEC stat. There were a couple of dissenting voices and a couple of trolls.

2 of 147 comments (clear)

  1. Re:Why bother? For a CHEAP PKI... by ObsessiveMathsFreak · · Score: 5, Insightful

    Congratulation! You've just explained why the DNSSEC will never be implemented on the root server.

    --
    May the Maths Be with you!
  2. Probably means you pay more actually. by TheLink · · Score: 5, Insightful

    Uh it's just a way for CAs to make money _twice_ (or more times).

    You'll still need CAs.

    How does DNSSEC stop the browser from giving Joe User a warning box that the https cert is not signed by a recognized CA?

    That's the only real reason why you pay CAs to sign your certs - to stop Joe User from being bothered it.

    That CA signing bullshit is little to do with security. Because the last I checked:

    1) nobody really goes through all the CAs bundled with their browser and says: "Yes I trust this CA, no I don't so I'll delete this". There are tons, do you know who they are and how trustworthy they really are? Do you really care? No all you care is that you don't get that warning.
    2) Verisign has proven that they voluntarily do dubious stuff and they've even misissued Microsoft certs (go look under Untrusted Publishers in IE's list of certs ;) ), and yet people _will_ leave the Verisign root certs in - because all you care is you don't that get warning.
    3) Do browser makers actually remove CAs who don't comply to some standard? Do they even have some meaningful standard in terms of security?
    4) AFAIK browsers don't warn you if the a valid cert changes to a different valid cert (even if it is signed by a different CA).

    As you can see, they're not really safer than self-signed certs. To me browsers should do that SSH thing and warn you if the cert has changed (whether it's self-signed or CA signed).

    In that light, forgive me if I'm not convinced that DNSSEC is really going to make things more secure :).

    It'll just be more of the same. One more way for Verisign and gang to make money for making people feel safe.

    --