What to do about DNS?
Posted Apr 12, 2007 9:44 UTC (Thu) by copsewood
In reply to: What to do about DNS?
Parent article: What to do about DNS?
If I check the server-identity by the servers ssh-key or https-certificate or whatever, then I already know enough to know if I'm talking to the correct or a fake server.
True if you:
- check the authenticated domain name is what you think it should be
- and know what it should be in the first place
- and it doesn't have any Unicode characters in it that are represented in your browser similarly or identically to characters in the domain name already known to you.
This also means you have to trust the certificator's checks of the identity of the owner of the https certificate to trust the identity of the https certificate owner. My understanding of DNSSEC is that it attempts to provide a much more scalable solution, by cryptographically authenticating the domain registration process itself rather than by tacking cryptography onto domain ownership as an afterthought. In other words you get a certificate when you register or renew a DNSSEC domain rather than having to purchase the certificate separately. DNSSEC also presumably makes it possible for different top level domains to enforce different standards and fees concerning the quality of names and the certification and repudiation of these. For example having a .MAIL TLD which requires adoption of a set of standards for management of mailing lists and which manages an associated reputation system, and a .SPAM domain which allows anyone to buy domain names at the cheapest technical cost temporarily using stolen credit cards would make mail filtering a whole lot easier. Having a .PLC domain which checks that registrants are public limited companies would enable someone seeing this as a TLD on a browser to know something about the registrant, as well as knowing that the .PLC operator will have checked the credentials of the subdomain owner before issuing a DNSSEC certificate.
So I think HTTPS and DNSSEC certificates will both be useful but address different and complementary if overlapping needs. Not all certificates are equal, and having the quality of certification present in the TLD part of the name in my view offers a significant improvement.
to post comments)