On Thu, 12 Sep 2013, Theodore Ts'o wrote:
More importantly, what problem do people think DNSSEC is going to
solve?
It is still a hierarchical model of trust. So at the top, if you
don't trust Verisign for the .COM domain and PIR for the .ORG domain
(and for people who are worried about the NSA, both of these are US
corporations), the whole system falls apart.
Any co-ercing that happens has to be globally visible, if the target
ensures he is using "random" nameservers to query for data. This should
be detectable, and I hope that high value domains (like eff.org) ensure
that they are monitoring DNS answers to see if any forged-with-private-key
answers are seen in the wild. (eg RIPE Atlas?) Once we have proof of that,
we can ponder about how to cut the US Government out of our DNS roots.
(sadly, eff.org is still not signed and has no TLSA record. Likely due
to their registrar not supporting it, but at least they could do DLV)
And even if you believe Verisign and PIR are a paragons of virtue
which are incorruptible (even when in a dark room when no one can see,
as the old Chinese saying goes), what about all of the registrars?
Their dynamic with their users and the market is the same as with CA's
--- the market virtually guarantees a race to the bottom in terms of
quality and prices. So beyond replacing names like "Comodo" with "Go
Daddy", what benefit do you actually think would accrue? You'll still
be dealing with a self-service security model, probably using e-mail
based password recovery.
As Tony said. You can pick a non-bottom one.
Basically, DNSSEC maps almost identically to the previously unsolved
problem.
Not at all - targetted attacks with CAs are easy. Unlike with DNSSEC.
Furthermore, TLDs could institute a delay mechanism with respect to
updating KSK/DS record so a compromised Registrar requesting an updated
DS won't come into effect immediately, and the Registrant has time to
react.
Paul