What to do about DNS?
Posted Apr 12, 2007 10:54 UTC (Thu) by job
Parent article: What to do about DNS?
I think the article misses what I see as the big idea with DNSSEC, that it is a key distribution mechanism. And what better global distributed database than the one we already use and trust on a daily basis?
Anyone who thinks that HTTPS or SSH magically gets the correct host key is blind to the obvious problem: Everyone accepts unknown keys, signing key distribution has to be performed manually by the web browser authors (which you must trust), key revocation remains largely unsolved, etc. Perhaps the biggest problem that remains is about identity. Remember the time someone got a false Microsoft key? Does this sound like a scheme we would like to trust all our future banking with?
DNSSEC presents a much more promising approach, that identity is the domain name and that key distribution is best done with DNS. Not all the details are in place yet and not all the software is written but it is by far the best solution yet.
The fact that DNSSEC makes zone transfer restrictions pointless is somewhat of a feature to me, that was a dumb idea anyway. The correct way to ensure that attackers don't access your internal data is to set up a split horizon configuration. Zone transfer restrictions inhibit my work on a regular basis when I can't find other people's errors properly.
I live in one of the few countries where we have a national DNSSEC system in place and from what I can see it's mostly working although very few people actually use it yet, but I think it's safe to say it works in practice. If there are better ideas, let's hear them, but you can't just stick your head in the sand and pretend HTTPS solves anything.
to post comments)