Tweet
http://www.pcworld.com/businesscente...by_dnssec.html
As I'm sure most of us are aware, there is not cryptographic protection on domains. Domain names are not signed and there is no chain of trust between the end user and the registrar.
Today 13 .org registrars, including GoDaddy, flipped the switch on DNSSEC, a technology in development for nearly two decades which seems to finally see mainstream use. DNSSEC provides a cryptographic chain of trust back to the registrar, so that the authenticity of a particular domain name can be cryptographically validated. Last week ICANN generated the first cryptographic key for the root zone, and that key is now used to sign the certificates controlled by various registrars.
Is DNSSEC a good solution? It depends what problem you're trying to solve. Dan J. Bernstein points out that DNSSEC does not provide any kind of privacy ("by design" they claim) and that third parties can still sniff your DNS traffic and figure out what domains you're resolving.
DJB also points out that DNSSEC is largely useless. On an Internet where the majority of traffic is conducted over the web, and the majority of sites don't have DNSSEC to begin with, the only case where DNSSEC "helps" is when you're accessing an HTTP (not HTTPS) server on a DNSSEC secured domain. In that case, if you're sent a forged DNS response, your computer will detect it, as opposed to loading a fake site.
What do you think? Is DNSSEC a good idea?
As I'm sure most of us are aware, there is not cryptographic protection on domains. Domain names are not signed and there is no chain of trust between the end user and the registrar.
Today 13 .org registrars, including GoDaddy, flipped the switch on DNSSEC, a technology in development for nearly two decades which seems to finally see mainstream use. DNSSEC provides a cryptographic chain of trust back to the registrar, so that the authenticity of a particular domain name can be cryptographically validated. Last week ICANN generated the first cryptographic key for the root zone, and that key is now used to sign the certificates controlled by various registrars.
Is DNSSEC a good solution? It depends what problem you're trying to solve. Dan J. Bernstein points out that DNSSEC does not provide any kind of privacy ("by design" they claim) and that third parties can still sniff your DNS traffic and figure out what domains you're resolving.
DJB also points out that DNSSEC is largely useless. On an Internet where the majority of traffic is conducted over the web, and the majority of sites don't have DNSSEC to begin with, the only case where DNSSEC "helps" is when you're accessing an HTTP (not HTTPS) server on a DNSSEC secured domain. In that case, if you're sent a forged DNS response, your computer will detect it, as opposed to loading a fake site.
What do you think? Is DNSSEC a good idea?
Comment