LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

What to do about DNS?

What to do about DNS?

Posted Apr 12, 2007 9:44 UTC (Thu) by copsewood (subscriber, #199)
In reply to: What to do about DNS? by ekj
Parent article: What to do about DNS?

If I check the server-identity by the servers ssh-key or https-certificate or whatever, then I already know enough to know if I'm talking to the correct or a fake server.

True if you:

  1. check the authenticated domain name is what you think it should be
  2. and know what it should be in the first place
  3. and it doesn't have any Unicode characters in it that are represented in your browser similarly or identically to characters in the domain name already known to you.

This also means you have to trust the certificator's checks of the identity of the owner of the https certificate to trust the identity of the https certificate owner. My understanding of DNSSEC is that it attempts to provide a much more scalable solution, by cryptographically authenticating the domain registration process itself rather than by tacking cryptography onto domain ownership as an afterthought. In other words you get a certificate when you register or renew a DNSSEC domain rather than having to purchase the certificate separately. DNSSEC also presumably makes it possible for different top level domains to enforce different standards and fees concerning the quality of names and the certification and repudiation of these. For example having a .MAIL TLD which requires adoption of a set of standards for management of mailing lists and which manages an associated reputation system, and a .SPAM domain which allows anyone to buy domain names at the cheapest technical cost temporarily using stolen credit cards would make mail filtering a whole lot easier. Having a .PLC domain which checks that registrants are public limited companies would enable someone seeing this as a TLD on a browser to know something about the registrant, as well as knowing that the .PLC operator will have checked the credentials of the subdomain owner before issuing a DNSSEC certificate.

So I think HTTPS and DNSSEC certificates will both be useful but address different and complementary if overlapping needs. Not all certificates are equal, and having the quality of certification present in the TLD part of the name in my view offers a significant improvement.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds