New IAB Chair Defends DNSSEC - Slashdot

Follow Slashdot blog updates by subscribing to our blog RSS feed

×

New IAB Chair Defends DNSSEC 49

Posted by ScuttleMonkey on Wednesday March 28, 2007 @06:30PM from the chickens-and-eggs dept.

bednarz writes "Olaf Kolkman, the new chair of the Internet Architecture Board, says that DNSSEC — an approach to authenticating DNS traffic that has been slow to take off — is not a failure. 'It is taking a while to percolate into software, and for that software to percolate into the market, and for people to adapt their environments to deploy and operate DNSSEC. The deployment is hindered by a chicken-and-egg problem'."

This discussion has been archived. No new comments can be posted.

New IAB Chair Defends DNSSEC

Search 49 Comments Log In/Create an Account

Comments Filter:

So let me get this straight... (Score:4, Insightful)

by X-treme-LLama ( 178013 ) writes: on Wednesday March 28, 2007 @06:41PM (#18521793) Homepage

Development and implementation, has been slow or nonexistent across the board.. But that doesn't mean it is a failure..

No, ok, I'll grant him that.. But sometimes no matter how useful (or perhaps good) an idea is, it just doesn't happen. Sorry mate..

In the interview he says that it's a bit of a "chicken and the egg" problem, yet while he lists a few minor adopters who have it somewhat deployed, he has no concrete solution to the problem..

Any type of dns security, or verification is certainly interesting, and probably beneficial, but DNS is 25-30 years old, and still works, there just isn't a compelling reason to augment it for most people who deal with keeping DNS servers running...

Share
twitter facebook
Re:So let me get this straight... (Score:2, Insightful)

by _ivy_ivy_ ( 1081273 ) writes: on Wednesday March 28, 2007 @07:09PM (#18522167)

Using that definition, I guess IPv6 is a overwhelming success too. Why does the world insist pushing technology solutions that no one wants?

Parent Share
twitter facebook
Authenticating DNS provides an audit trail... (Score:3, Insightful)

by bergeron76 ( 176351 ) writes: on Wednesday March 28, 2007 @07:15PM (#18522235) Homepage

The only benefit of a DNS trail is to allow rich corporations to audit the queries and optimize them in their favor.

EVERYTHING the internet stands for (and created) will be vaporized by corporate control of it.

Bloggers - you'll become accountable for what you say
Hosters - you'll become responsible for your clients and what they upload
ad nausem...

No thanks. I like the internet as it is.

Share
twitter facebook
DNSSEC (Score:2, Insightful)

by Anonymous Coward writes: on Wednesday March 28, 2007 @07:54PM (#18522647)

I think Olaf is likely speaking in his role as DNSEXT co-chair or DNS developer, not as chair of the IAB. It's certainly not an "IAB statement" on their web site; it's just someone attributing extra weight to his statement since he picked up an extra dot in IETF-land.

Since Olaf been pretty heavily involved in the protocol development, he likely does think of it as a success or at least on the road to success. The reality is that it is getting some traction, but it is a long, steep hill.

What does DNSSEC buy you? It allows you to use a cryptographic check to assure yourself that the data you have is the same as the data the zone maintainer put into the zone. It's object security, rather than channel security, in other words, and it could turn out to be very useful. In particular, it could mean that you would have a way of trusting the data you get from peers, which opens up new scaling possibilities for authoritative data. It doesn't mean that yet, because the whole system mimics the DNS design of descent from a root zone, and ICANN won't sign the root zone. There are proposals, including DLV, for look-aside validation, but they don't provide the same level of security. Instead, you get to decide whether the look-aside validator is clever enough to have done the right checks without the business relationships that underly the real DNS chain of authority. Without ICANN signing the root, DNSSEC isn't really compelling, as it is bootstrapping security based on trust relationships that are vapor-solid. With it, it can be useful in setting up new distribution mechanisms for key data (if you could trust anyone to hand you the root zone while you had a valid way to check the signature, DDoS attacks on the root become very hard), and it helps against cache poisoning attacks. Since those are the precursor to other attacks (especially identity theft attacks), it is worth doing.

But sexy? No. In demand? So far, only by previous victims of the attacks, but that may change if the connections are more obvious.

Share
twitter facebook
Re:Bernstein rips DNSSEC a new a-hole (Score:1, Insightful)

by Anonymous Coward writes: on Wednesday March 28, 2007 @08:23PM (#18522923)

>If you're running a DNS server, an attacker with access to your network can
>easily forge responses from that DNS server to other people. He can steal
>your incoming mail, for example, and replace your web pages.

If an attacker has access to your network, he can do a lot of things.

Parent Share
twitter facebook
Re:So let me get this straight... (Score:4, Insightful)

by Workaphobia ( 931620 ) writes: on Wednesday March 28, 2007 @08:44PM (#18523107) Journal

Why push solutions no one wants? Because they're good solutions to worthy problems. Because they're better than what we have. Because to not push them would offend technological common sense. If no one wants them then that doesn't mean they are inferior solutions; it could just as easily mean that people do not understand the problem.

I believe there was a quote by a president who commented on the telephone, that went along the lines of, "It's a marvelous invention, but who would ever want one?"

Parent Share
twitter facebook
Re:what do spam and porn have in common? (Score:3, Insightful)

by plague3106 ( 71849 ) writes: on Thursday March 29, 2007 @04:31AM (#18525825)

No, spam is not a freedom of speech issue. For example, no one's freedom of speech permits them to fill up the HR guy's email box to the point where it is almost unusable. The mailbox exists for the purpose of business communications.

Freedom of speech does not permit you to litter your neighbors house with leaflets, not matter what they say.

I don't think people are going to far in battling spam; we recently switched to a new mail server, which has spam filtering built in using several filters, and our HR person is very grateful. Now instead of 300 spam emails, and 3 legit ones, he only has the three legit ones, and possibly a few spam.

On the other hand, no one is being forced to look at a porn site. Anyone that wants to see it can, and anyone that doesn't go browsing for it.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

"If it ain't broke, don't fix it." - Bert Lantz