Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Tell Feds To Sign the DNS Root ASAP

Posted by kdawson on from the digital-john-hancock dept.

alphadogg sends along news that the US National Telecommunications and Information Administration has gotten plenty of feedback on its call for comments on securing the root zone using DNSSEC. The comment period closed yesterday, and more than 30 network and security experts urged the NTIA to implement DNSSEC stat. There were a couple of dissenting voices and a couple of trolls.

5 of 147 comments (clear)

  1. Why bother? For a CHEAP PKI... by nweaver · · Score: 5, Interesting

    With a conventional PKI for your SSL certificates, Verisign or the other CA gets a cut for EVERY server.

    With DNSSEC, the "CA" only gets a cut per domain. Thus DNSSEC can be used to offer key distribution with far less cost, once the root and the TLDs start signing records.

    (Not an original argument, but I agree with it.)

    --
    Test your net with Netalyzr
  2. not so fast by ejtttje · · Score: 5, Interesting

    I wouldn't be so quick brush aside dissension on this issue. This comment in particular:
    http://www.ntia.doc.gov/DNS/comments/comment034.pdf
    seemed well thought out, and at the end suggests several other workarounds with fewer issues. Namely, switch to using TCP instead of UDP so there's a handshake involved instead of blindly accepting incoming datagrams. It's not that the bug shouldn't be addressed, but maybe DNSSEC is the wrong answer.

  3. An explanation please? by PhysicsPhil · · Score: 4, Interesting

    For those of us who trust that this is something that matters, but aren't nerdy enough to understand. What is the problem that the experts were being consulted about?

  4. Why only one CA? (And it's the feds?!) by Sloppy · · Score: 5, Interesting

    I love beating this dead horse: OpenPGP is the one scheme that authentication right, and DNS is Yet Another great example where OpenPGP should be used instead of the obsolete X.509.

    Why would I trust the feds as an introducer? We already know that they do attempt MitMs sometimes, and there's already a history of DNS abuses ordered by presumably well-intentioned courts. But even if this organization had a good reputation, it's just plain dumb to put all your eggs in one basket. There should be provisions multiple certifiers of an identity, so that users decide who is trustworthy and who isn't.

    If the feds are going to sign, I hope they use an OpenPGP signature (which apparently the spec allows!), but I somehow doubt they would want to lend any legitimacy to a scheme that actually lets people authenticate identities, instead of the one intended to create monopolies and single points of failure.

    I have no problem with the feds helping out on this, but we shouldn't completely trust them, and we have the technology so that we don't have to. PRZ gave it to us a couple decades ago.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  5. why only one CA by bugs2squash · · Score: 4, Interesting

    I don't see why any nameserver (especially the root nameservers) could not carry signatures from multiple CAs. Maybe that's not DNSSEC (I can't be bothered to read the RFCs !) but it's certainly a technical possibility.

    Also, I think any device looking up any DNS record can chose to ignore the signatures if it wants to anyway (most will).

    So I fail to see what all the conspiracy issues are surrounding the signature of the root name servers. It seems a far cry from implementing a system to roll dnssec out to every nameserver and if a better solution comes along later, or DNSSEC gets better, the new ideas can probably get bolted on.

    --
    Nullius in verba