Slashdot Mirror
ICANN Sets Plan To Reinforce Internet DNS Security (networkworld.com)
coondoggie shares a report: In a few months, the internet will be a more secure place. That's because the Internet Corporation for Assigned Names and Numbers (ICANN) has voted to go ahead with the first-ever changing of the cryptographic key that helps protect the internet's address book -- the Domain Name System (DNS). The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or "roll" the key for the DNS root on Oct. 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010. During its meeting ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated.
"Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak," ICANN stated. The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses. Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root's "trust anchor," ICANN said.
"Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak," ICANN stated. The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses. Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root's "trust anchor," ICANN said.
You can choose to not validate. It's a fundamental issue that there have to be an authority of some sort if you want to validate against an authority.
My opposition to it is that when someone buys a gTLD they become their own registration authority for all domains in that domain and they set what kind of contact information is required for registrants in that range. This makes it the ultimate spammer's (or spamvertised domain owner's) harbor as it can completely remove liability and responsibility. The owner of the gTLD also has authority to hand out arbitrary numbers of domains at their own whim, again making it trivially easy for spammers to bounce around and avoid detection.
And we cannot filter our way out of this, either. We've seen filters get demonstrably worse in recent years as the spammers get better and better at breaking them.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
https://www.icann.org/dns-resolvers-checking-current-trust-anchors