Courtesy http://cr.yp.to/djbdns/forgery.html :
Even if DNSSEC is someday put into place, it will continue to allow attacks through Network Solutions itself. What happens if a Network Solutions employee is bribed? Are the Network Solutions computers secure? An attacker who breaks into one critical Network Solutions computer will have control over the entire Internet.
In January 2001, an attacker fooled VeriSign, the parent company of Network Solutions, into signing a fake ``Microsoft Corporation'' ActiveX key. We're supposed to trust these people?
There's a different way to use public-key signatures to prevent forgeries. It's simpler and faster than DNSSEC, and it doesn't rely on a central authority.
The disadvantage is that it requires long host names, too long to remember. On the other hand, users seem to find computerized bookmarks a satisfactory solution to the problem of remembering long web addresses. As more and more business is carried out electronically, long host names will become less and less of a problem.
The idea is simply to give each computer a name that includes the computer's nym, a fingerprint of the computer's public key. Other computers then discard DNS records for these names if the records aren't accompanied by signatures under the corresponding public keys.
My top priority for djbdns is to support nym-based security.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds