New IAB Chair Defends DNSSEC 49
bednarz writes "Olaf Kolkman, the new chair of the Internet Architecture Board, says that DNSSEC — an approach to authenticating DNS traffic that has been slow to take off — is not a failure. 'It is taking a while to percolate into software, and for that software to percolate into the market, and for people to adapt their environments to deploy and operate DNSSEC. The deployment is hindered by a chicken-and-egg problem'."
So let me get this straight... (Score:4, Insightful)
No, ok, I'll grant him that.. But sometimes no matter how useful (or perhaps good) an idea is, it just doesn't happen. Sorry mate..
In the interview he says that it's a bit of a "chicken and the egg" problem, yet while he lists a few minor adopters who have it somewhat deployed, he has no concrete solution to the problem..
Any type of dns security, or verification is certainly interesting, and probably beneficial, but DNS is 25-30 years old, and still works, there just isn't a compelling reason to augment it for most people who deal with keeping DNS servers running...
Re:So let me get this straight... (Score:2, Insightful)
Authenticating DNS provides an audit trail... (Score:3, Insightful)
EVERYTHING the internet stands for (and created) will be vaporized by corporate control of it.
Bloggers - you'll become accountable for what you say
Hosters - you'll become responsible for your clients and what they upload
ad nausem...
No thanks. I like the internet as it is.
DNSSEC (Score:2, Insightful)
Since Olaf been pretty heavily involved in the protocol development, he likely does think of it as a success or at least on the road to success. The reality is that it is getting some traction, but it is a long, steep hill.
What does DNSSEC buy you? It allows you to use a cryptographic check to assure yourself that the data you have is the same as the data the zone maintainer put into the zone. It's object security, rather than channel security, in other words, and it could turn out to be very useful. In particular, it could mean that you would have a way of trusting the data you get from peers, which opens up new scaling possibilities for authoritative data. It doesn't mean that yet, because the whole system mimics the DNS design of descent from a root zone, and ICANN won't sign the root zone. There are proposals, including DLV, for look-aside validation, but they don't provide the same level of security. Instead, you get to decide whether the look-aside validator is clever enough to have done the right checks without the business relationships that underly the real DNS chain of authority. Without ICANN signing the root, DNSSEC isn't really compelling, as it is bootstrapping security based on trust relationships that are vapor-solid. With it, it can be useful in setting up new distribution mechanisms for key data (if you could trust anyone to hand you the root zone while you had a valid way to check the signature, DDoS attacks on the root become very hard), and it helps against cache poisoning attacks. Since those are the precursor to other attacks (especially identity theft attacks), it is worth doing.
But sexy? No. In demand? So far, only by previous victims of the attacks, but that may change if the connections are more obvious.
Re:Bernstein rips DNSSEC a new a-hole (Score:1, Insightful)
>easily forge responses from that DNS server to other people. He can steal
>your incoming mail, for example, and replace your web pages.
If an attacker has access to your network, he can do a lot of things.
Re:So let me get this straight... (Score:4, Insightful)
I believe there was a quote by a president who commented on the telephone, that went along the lines of, "It's a marvelous invention, but who would ever want one?"
Re:what do spam and porn have in common? (Score:3, Insightful)
Freedom of speech does not permit you to litter your neighbors house with leaflets, not matter what they say.
I don't think people are going to far in battling spam; we recently switched to a new mail server, which has spam filtering built in using several filters, and our HR person is very grateful. Now instead of 300 spam emails, and 3 legit ones, he only has the three legit ones, and possibly a few spam.
On the other hand, no one is being forced to look at a porn site. Anyone that wants to see it can, and anyone that doesn't go browsing for it.