Announcement

Collapse
No announcement yet.

DNSSEC goes mainstream

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Voltage Spike
    replied
    Re: DNSSEC goes mainstream

    Originally posted by bascule View Post
    Is DNSSEC a good solution? It depends what problem you're trying to solve. Dan J. Bernstein points out that DNSSEC does not provide any kind of privacy ("by design" they claim) and that third parties can still sniff your DNS traffic and figure out what domains you're resolving.
    Which makes sense. If the lookup were encrypted, they wouldn't see the request ... but could infer it when you attempted to connect to the address returned in the record. If you want privacy, you need a comprehensive solution.

    Originally posted by bascule View Post
    DJB also points out that DNSSEC is largely useless. On an Internet where the majority of traffic is conducted over the web, and the majority of sites don't have DNSSEC to begin with, the only case where DNSSEC "helps" is when you're accessing an HTTP (not HTTPS) server on a DNSSEC secured domain. In that case, if you're sent a forged DNS response, your computer will detect it, as opposed to loading a fake site.
    It is false to say that you do not gain additional protection for SSL connections. SSL is a terrible all-or-nothing system that should never have been created. If I add a certificate authority for my employer/organization/software product, then I can no longer trust any site that I visit. If one of the "trusted" CAs is relaxed in its security or implementation (and both have happened), then the entire Internet is compromised. Further, the general expense and difficulty of obtaining a trusted-CA certificate combined with terrible web browser behavior means that we have trained users to click through certificate warnings.

    DNSSEC is an improvement on this whole mess by simple virtue of it being recursive. And, hey, maybe we can start stuffing internal, non-global certificates into DNS records now that we can trust their integrity.

    Originally posted by bascule View Post
    What do you think? Is DNSSEC a good idea?
    "When I first came here, this was all swamp. Everyone said I was daft to build a castle on a swamp, but I built in all the same, just to show them. It sank into the swamp. So I built a second one. That sank into the swamp. So I built a third. That burned down, fell over, then sank into the swamp. But the fourth one stayed up. And that's what you're going to get, Lad, the strongest castle." (~Monty Python and the Holy Grail)

    When pretty much the entire security model of the Internet is being built on DNS, it can only help to firm up the ground. It's no HANDLE System, but sometimes it is easier to keep climbing the ladder rather than take the newly-built elevator.

    And now I think I've exhausted my metaphor limit for the day.

    Leave a comment:


  • SHA-hi
    replied
    Re: DNSSEC goes mainstream

    In related news, ICANN they just added the ".xxx" tld. This means that when you're surfing for porn, you can trust everyone really is who they say they are.

    But honestly, I'd say it's about time for this. My concern is if this could actually put a kink into Z-bot and other root-kit crimeware. How does this change how hosts.conf works?

    Leave a comment:


  • bascule
    started a topic DNSSEC goes mainstream

    DNSSEC goes mainstream

    http://www.pcworld.com/businesscente...by_dnssec.html

    As I'm sure most of us are aware, there is not cryptographic protection on domains. Domain names are not signed and there is no chain of trust between the end user and the registrar.

    Today 13 .org registrars, including GoDaddy, flipped the switch on DNSSEC, a technology in development for nearly two decades which seems to finally see mainstream use. DNSSEC provides a cryptographic chain of trust back to the registrar, so that the authenticity of a particular domain name can be cryptographically validated. Last week ICANN generated the first cryptographic key for the root zone, and that key is now used to sign the certificates controlled by various registrars.

    Is DNSSEC a good solution? It depends what problem you're trying to solve. Dan J. Bernstein points out that DNSSEC does not provide any kind of privacy ("by design" they claim) and that third parties can still sniff your DNS traffic and figure out what domains you're resolving.

    DJB also points out that DNSSEC is largely useless. On an Internet where the majority of traffic is conducted over the web, and the majority of sites don't have DNSSEC to begin with, the only case where DNSSEC "helps" is when you're accessing an HTTP (not HTTPS) server on a DNSSEC secured domain. In that case, if you're sent a forged DNS response, your computer will detect it, as opposed to loading a fake site.

    What do you think? Is DNSSEC a good idea?
Working...
X