Slashdot Mirror
Experts Tell Feds To Sign the DNS Root ASAP
alphadogg sends along news that the US National Telecommunications and Information Administration has gotten plenty of feedback on its call for comments on securing the root zone using DNSSEC. The comment period closed yesterday, and more than 30 network and security experts urged the NTIA to implement DNSSEC stat. There were a couple of dissenting voices and a couple of trolls.
(Satan unpacking his sno-cone machine)
"'Bout damn time I got to use this thing..."
With a conventional PKI for your SSL certificates, Verisign or the other CA gets a cut for EVERY server.
With DNSSEC, the "CA" only gets a cut per domain. Thus DNSSEC can be used to offer key distribution with far less cost, once the root and the TLDs start signing records.
(Not an original argument, but I agree with it.)
Test your net with Netalyzr
In my experience, the trolls are usually right.
"You know, that 13-year-old kid DOES have a point. We should all stretch our anuses and put various large fruits inside our rectal cavities. And what those two ladies are doing with that cup is sheer genius. And I'm certain we can't agree more with his opinion of 'FUCK FUCK FUCK U CUNTS SHIT FUCK DAMN PISS COCK FUCK'. Gentlemen, as usual, we find that the trolls are, indeed, right! To the anus-stretching machines!"
Are you troubled by DNS cache poisoning...well don't worry!
I wrote a song about it!
Your domain will be safe,
You'll be well on your way
With DNS-SEC security!
Signing is a breeze,
Bring hackers to their knees
With DNS-SEC security!
I know you're grown attached to old
Ways of doing things
But when you update BIND
Your heart will race to sing!
DNS-SEC implementation
Put the spammers on permanent vacation
DNS-SEC implementation
I hear it's got great documentation!
Bind me, baby!
(GUITAR SOLO)
(-1, Raw and Uncut is the only way to read)
I wouldn't be so quick brush aside dissension on this issue. This comment in particular:
http://www.ntia.doc.gov/DNS/comments/comment034.pdf
seemed well thought out, and at the end suggests several other workarounds with fewer issues. Namely, switch to using TCP instead of UDP so there's a handshake involved instead of blindly accepting incoming datagrams. It's not that the bug shouldn't be addressed, but maybe DNSSEC is the wrong answer.
Well, by his definition he's really been moderated "right".
For those of us who trust that this is something that matters, but aren't nerdy enough to understand. What is the problem that the experts were being consulted about?
Well, the U.S. owns the internet, right? We should just pass a law for IPv6.
Congratulation! You've just explained why the DNSSEC will never be implemented on the root server.
May the Maths Be with you!
...over ubiquitous use of SSL?
Almost all of the extra overhead for crypto and/or signing is in processing the initial public key. So DNSSEC seems to make our systems work about as hard, without the benefit of encrypted data.
OTOH, having an Internet trend set in with most servers switching to SSL (i.e. HTTPS, etc) keeps the government (and corps providing its "security" snooping services) from profiling people based on their everyday choices of art, books, and ways of socializing. It takes ISPs out of the loop as far as acting as surrogate cops snooping on peoples' data.
If I wanted to further a police surveillance state, I would try to set a trend with DNSSEC instead of a different public key scheme that provides encryption along with verification for the same price... especially if the tools to implement the latter were already on everyone's system waiting to be fully used.
Uh it's just a way for CAs to make money _twice_ (or more times).
;) ), and yet people _will_ leave the Verisign root certs in - because all you care is you don't that get warning.
:).
You'll still need CAs.
How does DNSSEC stop the browser from giving Joe User a warning box that the https cert is not signed by a recognized CA?
That's the only real reason why you pay CAs to sign your certs - to stop Joe User from being bothered it.
That CA signing bullshit is little to do with security. Because the last I checked:
1) nobody really goes through all the CAs bundled with their browser and says: "Yes I trust this CA, no I don't so I'll delete this". There are tons, do you know who they are and how trustworthy they really are? Do you really care? No all you care is that you don't get that warning.
2) Verisign has proven that they voluntarily do dubious stuff and they've even misissued Microsoft certs (go look under Untrusted Publishers in IE's list of certs
3) Do browser makers actually remove CAs who don't comply to some standard? Do they even have some meaningful standard in terms of security?
4) AFAIK browsers don't warn you if the a valid cert changes to a different valid cert (even if it is signed by a different CA).
As you can see, they're not really safer than self-signed certs. To me browsers should do that SSH thing and warn you if the cert has changed (whether it's self-signed or CA signed).
In that light, forgive me if I'm not convinced that DNSSEC is really going to make things more secure
It'll just be more of the same. One more way for Verisign and gang to make money for making people feel safe.
Bind me, baby!
The S in S&M does not stand for Security.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I love beating this dead horse: OpenPGP is the one scheme that authentication right, and DNS is Yet Another great example where OpenPGP should be used instead of the obsolete X.509.
Why would I trust the feds as an introducer? We already know that they do attempt MitMs sometimes, and there's already a history of DNS abuses ordered by presumably well-intentioned courts. But even if this organization had a good reputation, it's just plain dumb to put all your eggs in one basket. There should be provisions multiple certifiers of an identity, so that users decide who is trustworthy and who isn't.
If the feds are going to sign, I hope they use an OpenPGP signature (which apparently the spec allows!), but I somehow doubt they would want to lend any legitimacy to a scheme that actually lets people authenticate identities, instead of the one intended to create monopolies and single points of failure.
I have no problem with the feds helping out on this, but we shouldn't completely trust them, and we have the technology so that we don't have to. PRZ gave it to us a couple decades ago.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Gotten is standard in American English.
I don't see why any nameserver (especially the root nameservers) could not carry signatures from multiple CAs. Maybe that's not DNSSEC (I can't be bothered to read the RFCs !) but it's certainly a technical possibility.
Also, I think any device looking up any DNS record can chose to ignore the signatures if it wants to anyway (most will).
So I fail to see what all the conspiracy issues are surrounding the signature of the root name servers. It seems a far cry from implementing a system to roll dnssec out to every nameserver and if a better solution comes along later, or DNSSEC gets better, the new ideas can probably get bolted on.
Nullius in verba
Omit your second reason and I'll give you your definition. Taking an unusual viewpoint to spark debate is highly useful.
I used to have a roommate who was doing a degree in social work. She came home one day gushing about the great debate they'd had. Everyone agreed! That's not a debate. That's a love-in badly in need of a skeptic (otherwise known as a shit-disturber).