The inventor of the domain name system has blamed technical and political wrangling for delays in improving internet infrastructure security. Dr Paul Mockapetris, chairman of DNS firm Nominum, explained that the use of digital signatures would help fix fundamental vulnerabilities in the internet's domain name system, highlighted …
Add security features later ...
The Internet was designed for a very specific kind of robustness - that communication between a modest number of trusted systems could be maintained in the event of a significant proportion of them being blown up. DNS fits in this system just fine.
The Internet very specifically wasn't designed to deal with untrusted systems and it certainly wasn't designed to deal handily with huge numbers of potential diverse routes operated by private organisations with commercial arrangements for carrying each others traffic under narrowly-defined circumstances. Unsurprisingly, neither was DNS.
Adding security to DNS is going to change the world in much the same way that getting a new wardrobe for Sarah Palin did.
Why is it not being implemented now. Surely there have not been TOO many changes as 25 or so years DNS has been in existence. Off to double and triple check websites, caches,proxies, etc.
No coat, its Los Angeles, its a nice day out
If DNSsec has been ready for 15 years and still hasn't been adopted, perhaps that is because those who would bear the costs of the upgrade are not currently at any risk of bearing the costs of the current system.
As far as I can see, if my DNS service from my ISP gets redirected to Bad People, it is *my* machine that gets exposed to the risks and my ISP simply sees a drop in traffic. They might actually be quite pleased about that. I'm not.
Is anyone in a position to force the issue? Is there a top-level DNSsec service that ISPs can plug into, so that I can choose an ISP that has done so? Could those who hold the keys to the root servers just announce that non-sec DNS will be switched off on <date>?
If not, the economics would appear to suggest that we are stuck with insecure DNS forever.
I'm ready for both just as soon as the rest of the 'Net is - just show me the kit!
Coat, as I can't see either happening any time soon...
Not totally sure DNSSEC was ready enough to be deployed technically 15 years ago by many people and some improvements have been made since then but not enough to make deployment at all easy. Another factor holding back deployment is the Esperanto problem. Great language, but too few people speak it to make it worth learning. The application that will probably need to go to DNSSEC first is probably money - banks are likely to adopt DNSSEC themselves and then force e-commerce sites to use it next because the losses from phishers routinely compromising ordinary DNS become too great.
Once enough ISPs support DNSSEC for their customers, your bank won't let you make on-line payments or do online banking from ISP connections that don't.
I guess what us end-users with our own DNS servers need is a patch that allows trusted stuff inside the firewall to carry on as before, querying the local DNS server that will then use DNSSec out on the Wild Wild Web^WInternet.
So, as asked by others, is there a secure public service available we can use. More to the point, *can* there be a secure public service available until all authoritative servers support it? Otherwise how does my DNSSec server know that it's talking to the real server for the site I'm trying to access?
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Is that a 64-bit ARM Warrior in your pocket? No, it's MIPS64
- Apple 'fesses up: Rejected from the App Store, dev? THIS is why