On Wed, Sep 11, 2013 at 03:38:21PM -0400, Phillip Hallam-Baker wrote:
I disagree. DNSSEC is not just DNS: its the only available, deployed, and
(mostly) accessible global PKI currently in existence which also includes a
constrained path of trust which follows already established business
relationships.
Except that virtually nobody uses DNSSEC and most of the registrars don't
support it.
More importantly, what problem do people think DNSSEC is going to
solve?
It is still a hierarchical model of trust. So at the top, if you
don't trust Verisign for the .COM domain and PIR for the .ORG domain
(and for people who are worried about the NSA, both of these are US
corporations), the whole system falls apart.
And even if you believe Verisign and PIR are a paragons of virtue
which are incorruptible (even when in a dark room when no one can see,
as the old Chinese saying goes), what about all of the registrars?
Their dynamic with their users and the market is the same as with CA's
--- the market virtually guarantees a race to the bottom in terms of
quality and prices. So beyond replacing names like "Comodo" with "Go
Daddy", what benefit do you actually think would accrue? You'll still
be dealing with a self-service security model, probably using e-mail
based password recovery.
Sure, authenticating DNS queries when previously they were completely
insecured is a good thing. And if the PKI infrastructure for DNSSEC
is different from that of x509 certificate, maybe that increases the
difficulty a little for the attacker. But I get really worried when
people say that DNSSEC is somehow going to magically solve the PKI
problem.
Basically, DNSSEC maps almost identically to the previously unsolved
problem.
- Ted