LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: Embedded and Mobile Linux

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

DNSSEC

DNSSEC

Posted Feb 12, 2008 14:50 UTC (Tue) by tialaramex (subscriber, #21167)
In reply to: Interesting, not unexpected. by jd
Parent article: DNS Inventor Warns of Next Big Threat (Dark Reading) 

As I understand it, DNSSEC was designed with the DNS roots as the root of the  public key
system. This makes sense, operationally.

However, DNSSEC arrived too late to take advantage of the old cabals which would have given
this key and its associated responsibilies to some group of technicians. The existence of a
DNSSEC root would effectively be authority to create TLDs. All the squabbling politicians now
involved in "running" the Internet think this power ought to belong to them. If you can get
them all to agree, you can have DNSSEC as originally envisioned. Good luck with that.

Without DNSSEC on the root, it makes little sense to have it for the TLDs, since black hats
can (as I understand it) just spoof a root server response telling you that the TLD doesn't
have DNSSEC. Without DNSSEC on the TLDs, it's basically useless except for internal matters.

There are basically two paths to getting things deployed on the root servers, either you
secretly agree with the operators to just do it, and then act innocent when ICANN and similar
bureaucracies notice a few months later and ask what happened, or you have to go through
months and years of bullshit meetings in which everybody is engaged in silly political games
of point scoring, empire building etc.

(Log in to post comments)

DNSSEC

Posted Feb 12, 2008 18:24 UTC (Tue) by miekg (subscriber, #4403) [Link] 

> Without DNSSEC on the root, it makes little sense to have it for the TLDs, since black hats
can (as I understand it)

This isn't true, but you will need to have the public key of the specific TLD to make it all
work. The idea of having DNSSEC deployed on the root, means you will only need one key
configured at home (or where ever).

DNSSEC

Posted Feb 12, 2008 21:45 UTC (Tue) by tialaramex (subscriber, #21167) [Link] 

Ah right, thank you for the correction.

DNSSEC

Posted Feb 13, 2008 10:34 UTC (Wed) by copsewood (subscriber, #199) [Link] 

A DNS tree can be rooted anywhere people will use it. Good examples of this in connection with
specialised services are DNSBLs and DNSWLs . These can contain information about every IP
address or domain on the Net. This makes the current root operators subject to a kind of
competition, in the sense that if an alternate DNS root server organisation starts to offer
greater value in connection with generic DNS services, the political interest of the current
root operators will be forced to offer users what they want or become irrelevant. Presumably
this would also apply to unnecessary delays in rolling out DNSSEC - if the DNSSEC standards
and implementations are considered stable and usable enough for more than experimental rollout
based on alternate root servers.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds