Comcast - one of the largest ISPs in the US - has deployed new technology designed to protect the internet against a well-known form of attack that allows attackers to surreptitiously lure end users to impostor websites. For now, Comcast users who want to use the technology, known as DNSSEC, or DNS Security Extensions, must …
I'm sure it is quite a serious subject but....
Does this mean that if I am on Vermin Media and tipsytype a URL I am finally going to get adverts for Lemon Curd and Coal Pizzas?
Locking the root in gov.us hands...
...sounds really appealing if I were any of the just under 200 other countries and not-a-countries around the world. Thanks so much for completely ignoring the non-technical aspects, DJB style, while forcing the issue, Dan Kaminsky.
DNSsec has problems, like big privacy ones. DNScurve has a different set of problems. None are silver bullets. Especially letting the root be sat on by the bully of the playground is going to be problematic in the long term. Welcome to the internet balkans.
DNSSEC and privacy
> DNSsec has problems, like big privacy ones.
you clearly don't know what you're talking about. privacy was never a design goal of dnssec. the authentication and non-repudiation of dns data was. so dnssec has the same privacy issues as regular dns. which are obvious because the dns is a public database.
claiming dnssec has big privacy problems is as silly as saying the phone book has privacy problems.
DNSSEC removes the ``I won't allow AXFR'' protection because by its very design it allows you to enumerate the entire zone whether the publisher wants you to or not. The very reason DNSBLs are using DNS to build a BL is exactly the ability to serve some information but not also serve the entire phone book with it.
Claiming this is not an issue because it ``was never a design goal'' is the incredibly stupid and short-sighted twattery that programmers like to display if they have some half-a-solution stuck in their minds, wilfully ignoring any side effects, and admins then get to mop up... again. How'd you feel if, oh, everyone's taxes were irrevokably put online because ``privacy was never a design goal of taxes''? If it wasn't it bloody well should have been so back to the drawing board, you nitwits.
Serving information is well and good, but removing limits on how you serve them in the name of security is, well, just as stupid as any other security circus feature, and here, bad design to boot. That next to the incredible cynical stupidity of taking a co-operative international entity, locking it up, and giving the keys to the one government that manages to piss off the most of the others. Well done, that.
That's odd, whilst you were throwing stones in that comment I somehow missed where you came up with the solution to this problem.
This has been an issue awaiting a viable solution for a long time, perhaps you could just put them out of their collective misery and just tell them how it should be done rather than giving them a pasting for trying to solve it.
The root zone is already published to an ftp server for anyone to download, so that's a non-issue.
NSEC3 resolves the problem with walking DNSSEC trees. AFAIK, all the big players will sign using NSEC3, so your concerns are completely moot.
Minor problem solved, rest declared moot
The root zone is the least of the problems. DNS is hierarchical, donchaknow. Each subdomain has a different owner or "authority", with different policies as to AXFR. If NSEC3 solves that, fine, but last I heard it was still broken. So that's an open problem.
Still have the political problems of who gets to sit on the keys, and that's still the guys who've proven most the government they're running is unfit to have it. So no, my concerns aren't moot at all. You just show again you're just as short-sighted as Dan Kaminsky and his merry band of technical bozos, refusing to see the very real, very real-world problems this is causing.
Sure you can declare problems that are inconveniently hard-to-impossible to solve technically (aka ``people problems'') moot so you don't have to think about them. Because as our friend the recently minted computer engineer Barbie knows so well: Thinking is hard!
But that doesn't make the problems go away. They're still there, laughing you in the face. You failed. Ha ha!
>> If NSEC3 solves that, fine, but last I heard it was still broken.
Then you (a) haven't been paying attention; (b) don't understand how DNSSEC works.
NSEC3 was invented because some folk wanted a DNSSEC solution that prevented zone enumeration. It works fine. Some TLDs are going to use it. .org already is... Even so, NSEC3 is a toxic pile of shite that should never have escaped into the wild.
BTW, it's not true that each subdomain has a different owner or authority. Each subzone *may* have a different owner or authority (and usually does...). The distinction between zones and domains in the DNS appears to have escaped you.
The article is wrong
"At the moment, only two of the 13 root servers are digitally signed" is not true, currently 2 of the root servers (A and L) respond with DNSSEC keys but they are deliberately broken. It's a test to see if the infrastructure can handle DNSSEC, not a test of DNSSEC itself.