ietf
[Top] [All Lists]

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

2013-09-12 10:04:27
On Sep 12, 2013, at 7:24 AM, Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:
It is still a hierarchical model of trust.  So at the top, if you
don't trust Verisign for the .COM domain and PIR for the .ORG domain
(and for people who are worried about the NSA, both of these are US
corporations), the whole system falls apart.

This isn't _quite_ true.   DNSSEC supports trust anchors at any point in the 
hierarchy, and indeed I think the right model for DNSSEC is that you would 
install trust anchors for things you really care about, and manage them in the 
same way that you manage your root trust anchor.   E.g., you'd install a trust 
anchor for your employer, and your bank, and maybe your local town government.  
 This is all future UI work, of course.

Furthermore, if the root key is compromised and that is then used to substitute 
a bogus key, it isn't that hard to notice that this has happened, and indeed we 
ought to be systematically noticing these things.   So hacking the root key is 
certainly a valid threat, but there is a great deal more transparency in the 
DNSSEC system than in the TLS PKI, and that should mean that the system is more 
robust in the face of this kind of attack.

That said, multiple independent systems used together, managed separately, will 
likely also add value, so TLS PKI + DNSSEC is probably better than TLS PKI or 
DNSSEC separately, modulo DoS attacks, which in this case would be easily 
detected and fixed.


<Prev in Thread] Current Thread [Next in Thread>