New IAB Chair Defends DNSSEC 49
bednarz writes "Olaf Kolkman, the new chair of the Internet Architecture Board, says that DNSSEC — an approach to authenticating DNS traffic that has been slow to take off — is not a failure. 'It is taking a while to percolate into software, and for that software to percolate into the market, and for people to adapt their environments to deploy and operate DNSSEC. The deployment is hindered by a chicken-and-egg problem'."
If DNSSEC Is Success, What Does Failure Look Like? (Score:4, Interesting)
Nothing about DNSSEC has improved since wrote about it last year [matasano.com]:
DNSSEC is a huge waste of time. For a fraction of the effort, we could have pervasive opportunistic VPN-style connections. Or we could clean up the mess of insecure code that currently provides our core infrastructure. Or a unified standard secure email transport based on GPG/PGP. Or a concerted effort to solve the cross-site scripting problem. You could come up with a way to secure and authenticate the AOL OSCAR IM protocol and still do more good than DNSSEC ever will.
Of course, the IETF people will never admit this. The IETF types used to define themselves by making fun of the OSI X-standards people; "rough consensus and working code!". The Internet won, CLNP lost. Where do you think all those standards bureaucrats you made fun of in the OSI groups went? That's right; to IETF working groups.
Re:DNSSEC doesn't seem very useful (Score:3, Interesting)
DNSSEC doesn't encrypt anything, just authenticate. And it fits into the DNS design of caching and recursive nameservers - believe your ISP's server will give you something that proves the answer came from the authoritative server at some time less than $TTL seconds ago. Now, I don't remember if your ISP's nameserver has to have special DNSSEC support or not to pass that information to you...probably yes, which is another infrastructure hurdle.
I'd take advantage of DNSSEC if the infrastructure were there - including a public key in a DNSSEC-authenticated zone would be a good way to authenticate a host. There are two other ways in common use by the clients you mentioned, and neither is quite satisfactory:
In fact, I just googled for "ssh dnssec" and it looks like someone has already written the code for this.
New protocols could rely on DNSSEC instead, and there are probably other protocols like ssh that could be retrofitted easily.
I'm not holding my breath on the infrastructure, though. It's been a while since I've looked at DNSSEC, but IIRC most of the benefits don't come until it's deployed from the root on down. Until .org uses DNSSEC, I can't really use it for slamb.org. I could manually add slamb.org's key into my client software maybe, but that's really not much better than creating my own root certificate for existing PKI mechanisms.
Re:Personal motivation? (Score:3, Interesting)
I don't get this porn fest thing. I use the interwebs all the time, and barely ever see any porn. Where is this porn of which you speak?
The core principle of the internet to me is that anyone can edit it/add to it, or take it in some new direction.
We have Wikipedia, 'Ask a Ninja' and Red vs Blue now. Three things I never would have thought of when I first plugged my 33k modem in, many years ago. My contribution to the web's main attribute is that people keep visiting my site and downloading because they think its a mod for Wow (confusion in the name). Then they discover its really boring...