[ILUG] secure DNS...

Justin Mason jm at jmason.org
Wed Nov 22 12:36:36 GMT 2000 

James Raftery said:

> DNSSEC is stuck with the public-key crypto. problem -- ensuring
> authenticity of public keys. The DNSSEC solution is to have your DNS
> parent use their key to sign your key.
> 
> Then, of course, you're into the problem of establishing trust in the
> supposed IE key that signed the online.ie key. The IE key needs to be
> signed by the root key. Since the root has no parent, how does one
> establish trust in its key? Current proposal is the have the root key
> installed with all nameserver software as a defacto trusted-key. Or to
> put it another way, the root zone key is a massive single point of
> failure. If it were ever to be compromised all bets are off.

PKI really is a bit of a disaster alright on the internet.  It works OK
when you can mandate a policy across an organisation, such as 1 company,
but on the net at large it's a shambles -- unless you have the power to
force everyone to use your rules (like Netscape did, to invent the SSL CA
industry).

> The standard solution to prevent that kind of messing is to rollover
> keys periodically. How in hell would that work? That'd be sheer chaos.
> The only thing worse would be in the event of an unplanned rollover (say
> in the case of a compromise). There is no mechanism to systematically
> 'revoke' a DNSSEC key. Folks would go on trusting a broken key while
> others are desperatley scrambling to get the new root key through some
> out-of-band trusted source.

Sounds a bit like SSL and the ongoing upgrade-browser-to-get-new-keys
fiasco.  At least with web browsers, all you get with an expired key is a
"cannot verify authenticity" warning dialog...

Oh ghod -- now that merger between Verisign and Nyetwork Solutions makes
perfect, if nightmarishly horrible, sense.  And only ICANN can save us
from yet another Verisign "internet tax" on our certificates to sign our
DNS zones.... and we all know how competent ICANN are (did I hear someone
say .museum?)

AAAAAARGH,

--j.

-- 
Justin Mason       Work:  http://www.netnoteinc.com/ <jm at netnoteinc.com>
                   Personal:      http://jmason.org/     <jm at jmason.org>

"It's true that some sharks get cancer. I said this in my book."
	 	   -- William Lane, author of _Sharks Don't Get Cancer_

More information about the ILUG mailing list