Dot-UK registry Nominet has started piloting a free service designed to help UK businesses boost the security of their websites' domains. The DNSSEC Signing Service "will allow registrars to quickly and easily implement DNSSEC by relying on Nominet to manage the cryptographic signing process, management of keys and publishing …
Depressingly slow; hope Nominet succeed
I'm glad to see Nominet actively promoting this - and by being helpful, too, rather than barking orders. I enabled DNSSEC on my personal (self-hosted) domain a few months ago (along with the DNScurve elliptic curve crypto rival) - I haven't had any problems with it, and it wasn't too hard, but until the DNS hosting companies simplify it to "tick here to enable DNSSEC" it will be an uphill struggle.
Long-term, there are some neat things you can do on top of DNSSEC - an alternative to certificates for SSL, better handling of SSH host keys ... - but until it's actually out there being used, few people will bother trying. Which, of course, means few will bother rolling it out... Good on Nominet for helping here!
I have no doubt that if I sat down and needed to deploy this for a single domain, I could probably get it done in a day if I had nothing else to do. But as someone who runs their own domains, has their own servers, and plays about with DNS as required (e.g. I IPv6 enabled my domains one day when I was bored, proved my ownership of a domain via TXT cookies, implemented my own SPF records etc.), I can safely say that I'm still not entirely sure what the hell I'm doing when it comes to DNSSEC, or whether I'm doing it right, or whether what I do would make it any more secure.
There seems to be a complete lack of readable documentation - if it isn't RFC-level, then it's just a checklist of commands to blindly run in Ubuntu/Bind (and no clear advice on what to publish and what not, and what parts of those things are private and should be deleted/stored securely, etc.). And at the end of the day, I have little idea exactly how, say, .org.uk is magically authenticating my domains/nameservers via a record I publish on said nameserver. I've a mathematical degree, for God's sake (albeit a decade ago), and studied cryptography but the various records, signings, etc. aren't immediately enlightening me on how to deploy DNSSEC at all, and certainly not how to know whether I've done it properly.
And everything seems to want to use bind tools. Shockingly, most people don't run their own bind nameserver for their domain - and literally just want to be given a DS record they can publish, or ask their host to publish for them. Then you have the question of updates and expiration. Just how often, exactly, am I going to be required (either automatically or manually) to push our new DS records because something, somewhere expired? And if I don't update them properly, DNSSEC-enabled servers will see my domain as "untrusted" - whereas if I *don't* publish anything at all, I can sit quietly in a greylist somewhere and never have a problem until everything is DNSSEC and people decide to actually require it?
So until DNSSEC is literally "built-in" to domains and domain-hosting packages somehow, it'll be a long while before it meets mass-adoption. Hell, people aren't using IPv6 and that's simple enough now and explicitly supported in all major operating systems (not to mention a requirement of things like DOCSIS 3 and some mobile technologies).
DNSSEC proponents really need to think not of ISP's and mass-domain-hosts (who should have people more than skilled enough to do this, and a business reason to ensure it stays updated), but of the people who own domains (who may be reliant on those hosts/ISP's, running their own VPS, etc.) who literally just want a checkbox procedure to DNSSEC-enable themselves. At the moment, it seems far too complex and uncertain for a five-minute deployment to actually be possible and help the domain owner.
Compare to SPF, for example, where - yes - you can break email reception/sending for your domain if you do it wrong but it literally takes minutes to get it right, or correct a mistake, and then you never have to worry again until you change the servers receiving/sending your email. Compare to IPv6 where IPv6 day pretty much proved that you aren't going to break anything by deploying it and a five minute enabling process is available (and the only issues are having another avenue of entry to secure, enabling IPv6 in daemons, firewalls, etc.).
DNSSEC is a bit of a hideous nightmare at the moment, so no-one is touching it, so Nominet really have to push things like this. Until the time that such tick-a-box functionality is available to someone who owns a domain through every host/ISP, does anyone have a simple run-through, that isn't bind-specific, explains what's going on and explains which bits of the process are secret, should be published, how and who to and how often? At the moment, it just seems one big modern mess.
could be similar to IPV6
IPV6 was 20 years in gestation and is only now starting to generate significant traffic i.e. more than 1% of total Internet IPV4 + IPV6 traffic. I've upgraded my server to handle IPV6 for about half of the websites I run, am part way through upgrading various web applications and starting to think about how to handle some others (e.g. email). The support resources for IPV6 are now quite good for someone at my level (as someone who isn't a core developer of the technology itself, but a fairly early implementer), though 3 years ago I would have found this more difficult.
My last look at DNSSEC suggested this wasn't yet quite ready at the same level, due to complexity and limited support for relevant tools and level of support from domain registries. What Nominet are doing is bringing feasible implementation for more sites closer. I'll definitely be more interested in doing business with domain registrars which support DNSSEC than with those which don't. DNSSEC also needs a certification program similar to that provided by Hurricane Electric for IPV6 to test knowledge and implementation practice for smaller server operators.
I've read DJ Bernstein's eliptic curve DNSSEC alternative proposal paper, but I think the mainstream will go with current IETF DNSSEC standards because I'm not sure DJB's proposal covers all the bases of the IETF DNSSEC standards. Whether DJB's proposal is 'better' probably isn't the whole story. CSV/DNA responsible SMTP client identification was arguably better than SPF. My mail filtering software (Tagspam) was one of the first CSV/DNA implementations, but that's not much use if everyone else adopts a different approach.
obviously fake domain reg
How about removing all of those obviously fake non commercial registrations
that are being used to host phishing sites etc?
It currently takes a concerted effort to get enough people to register a complaint before
they will remove an obviously forged domain registration.
Charging more for "private use" domains and using the money to run a delayed web site
check is probably the way forward. Also investigating complaints rather than waiting for a
few thousand to arrive before reacting would help.
This is not supported by any current browser - so what's the point ?
Neither was SVG at one point.
Neither was HTML5 at one point.
Neither was PNG at one point.
Neither was Flash at one point.
Neither was Java at one point.
Neither was ActiveX at one point.
The point is that they make DNS much more secure and break a lot of happening-today attacks on things like SSL certificates that rely on being matched to the correct domain name (e.g. complete compromise of most modern-day use of SSL), and stopping DNS-spoofing / filtering in those countries that do that.
This is INFINITELY more useful than EV-certificates ("green bar" secure sites), for example.
It's a good idea that needs to gain a foothold, if no one signs up then it won't get promoted and nothing will happen. The browser makers will not committ expensive resources to incorporating something that is still being worked on.
Or use simple software
Sorry to blow my own horn here, but if you already run PowerDNS, and quite a number of large UK-based hosters do, consider upgrading to PowerDNS 3.0, which makes DNSSEC rather easy, see http://powerdnssec.org/ - it can be as simple as 'pdnssec secure-zone nominet.co.uk'.
That's how it SHOULD be, and my post a few above this is decrying this exact problem.
And it's not often you run into the author of a piece of software on a website and get to thank them for doing something "properly" from the user's point of view.
How will this affect my ad-blocking?
My own aggressive advertisement blocking system works by having a "poisoned" nameserver, which deliberately returns wrong addresses for known advertising and tracking servers. This legitimate use relies on me being able falsely to claim authority for the domains I am misrepresenting.
Insistence on DNSSEC probably will make this harder.
@AJStiles DNSSEC would prevent you rewriting the addresses to point at _some other_ site. If instead you returned NXDOMAIN from your poisoned server you would effectively achieve the same result as an invalid DNSSEC signature, i.e. an unreachable site.
- Breaking news: Google exec veep in terrifying SKY PLUNGE DRAMA
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Google CEO Larry Page gives Sundar Pichai keys to the kingdom
- Something for the Weekend, Sir? SKYPE has the HOTS for my NAKED WIFE