Working Around Slow US Gov. On DNS Security

alphadogg writes "Last fall, the US government sought comments from industry about how better to secure the Internet by deploying DNSSEC on the root zone. But it hasn't taken action since then. Internet policy experts anticipate further delays because the Obama Administration hasn't appointed a Secretary of Commerce yet, the position that oversees Internet addressing issues. Meanwhile, the Internet engineering community is forging ahead with a stopgap to allow DNSSEC deployment without the DNS root zone being signed. Known as a Trust Anchor Repository, the alternative was announced by ICANN last week and has been in testing since October."

DNSSEC overrated

[TheLink]

DNSSEC is overrated.

It's not about security, it's just another way to collect toll on the information superhighway.

I'm sure the CAs are rubbing their hands in glee.

They're not only going to collect money for SSL certs for www.yourdomain.com. Now they get to collect money to sign the "yourdomain.com" DNS entry as well.

And Verisign gets to triple dip if not more.

Re:DNSSEC overrated

[KiloByte]

To the contrary, DNSSEC could possibly kill the goldmine that is the SSL cert racket. That is, unless having your DNS entry signed somehow becomes a "value added" service you need to pay for extra.

I'm a layman here, but glancing at how DNSSEC works, I see no obvious way selectively signing some but not the rest of entries could work. This means, DNSSEC would provide a more secure way to give the public key to a viewer.

Instead of proving that the server's owner paid a sum to the CA, it would prove that the server's owner has control over the DNS entry.

If the above is correct, that's a good explanation why we don't have DNSSEC yet -- it would have a potential to kill the CA's income.
But if there is a way to selectively skip signing certain DNS entries, all your fears would be true.

Re:DNSSEC overrated

[cakefragment]

Signed zone data is not reliant on x509 certificates; algorithms defined in RFC 4034 are RSA/MD5, Diffie-Hellman, DSA/SHA-1, Elliptic Curve, RSA/SHA-1, and room for ~245 future algorithms. There is no identity information stored in the keys used for DNSSEC, so you should be able to generate the keys yourself.

And a good thing too.

Apart from the certificate trust scam ("trust us, for you give us money"), too many non-us governments (and non-us non-governmental people, natural or otherwise), won't accept a us govt held root. And why should they?

Yes, arguably a fragmented root it not as good as it should be, but a root held by a single entity, especially one as "trustworthy" as the one with the power to push this through, might, in the long or not so long term, easily cause a plethora of split DNS universes. Which is lots worse.

It really is too bad that the most vocal people with the technical knowledge to understand the impact choose to ignore the politics involved. Yes, smart move people, that will make the issues go away real good.

Use DNSCurve

[dermoth666]

DNSSEC rely on having a central "trusted" authority to sign all the dns keys. Not even speaking about the inherent security issues with this model, that means that everyone will depend on a single authority for name resolutions (sure Network Solutions loves this)

DNSCurve is a much better solution in that it offers a trust system without the need of a central authority. The key is embedded in the DNS name server (NS) hostnames which are always returned by the upper level name server.

See http://dnscurve.org/index.html

Re:Use DNSCurve

[dermoth666]

Trust is the same for DNSSEc, it's just that instead of using the root servers as a trust chain, you use a 3rd party that every domain owners had to pay for.

I hardly doubt many institutions will actually pay for signing their zones. o me it's more DNSSEC which is a hype and I'm under the impression many people pushing for it just don't know the implications (they just want to secure DNS).

DNSCurve is much easier to implement than DNSSEC and and also advantages in term of cryptography speed and increase of traffic.

More on this, at 11

[dmneoblade]

In other news, the Internet is seeing the government as damage and routing around it.

Re:Working around government?

[characterZer0]

I think Washington would still be protecting the horse breeders and the stable hand union.

DNSSEC is a good subsitute for paid-for CERTs

[wayne]

To the contrary, DNSSEC could possibly kill the goldmine that is the SSL cert racket. That is, unless having your DNS entry signed somehow becomes a "value added" service you need to pay for extra. I'm a layman here, but glancing at how DNSSEC works, I see no obvious way selectively signing some but not the rest of entries could work. This means, DNSSEC would provide a more secure way to give the public key to a viewer.

You may be a layman, but you appear to have far more clue about this stuff than most. Yes, once DNSSEC is deployed, anyone with a domain name can publish CERT records and have about the same security as a paid-for CERT. Granted the cert authorities right now require you to give your name and address and such, which publishing CERT records in the DNS won't require so they aren't exactly the same, but close enough considering how little checking the cert authorities do on such information

DNS for LOLCATS

[rs79]

"Acronyms confuse me."

Then you can has cheeseburgers.

SSL with no, or a bogus cert = "I has encryption. But I might be not be is cat. Might be is dog!"

DNSSEC = "I is cat. You know I is cat"