Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DNSSEC and the Geopolitical Future of the Internet

timothy posted more than 4 years ago | from the but-everyone-loves-the-king dept.

The Internet 70

synsynackack writes "The Register reports that the DNSSEC protocol could have some very interesting geopolitical implications, including erosion of the scope of state sovereign powers. The chairman of ICANN, Peter Dengate-Thrush, explained, 'We will have to handle the geo-political element of DNSSEC very carefully.' Experts also explained that split DNS and the DNSSEC protocol don't match very well; technically, it is possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one."

Sorry! There are no comments related to the filter you selected.

my first first post (-1, Flamebait)

bruno.fatia (989391) | more than 4 years ago | (#32148916)

first post!

Re:my first first post (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32148952)

Your first first post and that is all that you can come up with? Come on man, the linked article Godwin'ed itself! You could have at least said something like "my first first post you Nazi bastards!" and not be acused of losing the argument in the first post. Sheesh.

Clearly what they need to do is just get ride TLDs (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32149104)

There is no reason to have TLDs. They perform no useful purpose other than to line the pockets of scheisters and satisfy the megalomaniacs at ICANN, who would otherwise have to bag groceries for a living.

Re:Clearly what they need to do is just get ride T (1, Informative)

Anonymous Coward | more than 4 years ago | (#32149180)

The TLDs serve a very important purpose: They're administrative boundaries. If the policies of one TLD don't suit you, choose a different one for your domains. The DNS root should therefore only have very limited say in how TLD registries do their job and indeed the TLDs are implemented very differently.

Re:Clearly what they need to do is just get ride T (0)

Anonymous Coward | more than 4 years ago | (#32149658)

But why couldn't this be done for each entry? Instead of limiting entries to name.TLD, why not just let the registrant make any name and sign up for whatever rules set is desired? If I wanted to sign up for great.burgers, who cares if there is a .com, .net, .whatever anywhere in the name? It has always seemed arbitrary and constricting to me, especially in business where squatters make things overly interesting.

Re:Clearly what they need to do is just get ride T (1, Informative)

Anonymous Coward | more than 4 years ago | (#32149736)

Then there'd be only one registry and one set of rules - the rules of the root registry. The separate registries are what keeps some level of competition alive. The root registry only gets to set basic interoperability rules, but the economics and technical implementations are the TLD registries' business.

Re:Clearly what they need to do is just get ride T (0)

Anonymous Coward | more than 4 years ago | (#32151156)

I still don't see why this system couldn't be implemented sans TLDs.

Re:Clearly what they need to do is just get ride T (2, Insightful)

icebraining (1313345) | more than 4 years ago | (#32149378)

I disagree. Generic TLDs may be useless, but ccTLDs are useful for use in the rest of the world. I, for example, know when I'm buying something from a web shop with a .PT domain that the owner of that domain is a real company registered in Portugal, so it's easier to get my money back if something goes wrong.

Also from George Bernard Shaw (0)

Anonymous Coward | more than 4 years ago | (#32150190)

I think it would be a good thing to make everybody come before a properly-appointed board, just as they might come before the income tax commissioner, and say every five years, or every seven years, just put them there, and say, "Sir, or madam, now will you be kind enough to justify your existence?"

If you're not producing as much as you consume or perhaps a little more, then, clearly, we cannot use the big organizations of our society for the purpose of keeping you alive, because your life does not benefit us and it can't be of very much use to yourself.

Godwined (1)

badkarmadayaccount (1346167) | more than 4 years ago | (#32187262)

Hitler though 2+2=4. He also thought Jews should be killed.

Re:Clearly what they need to do is just get ride T (1)

z_gringo (452163) | more than 4 years ago | (#32153218)

True, But many companies who are registered in Portugal, will be using a .com instead of a .pt.


I suppose that situation exists everywhere. The .com seems to be preferred by certain companies all over the world.


On another note, if you wouldn't mind emailing me about some of those web shops in portugal, I would sure appreciate it. I have found it hard to locate shops in Portugal that will sell online.

Re:Clearly what they need to do is just get ride T (1)

icebraining (1313345) | more than 4 years ago | (#32154074)

True, But many companies who are registered in Portugal, will be using a .com instead of a .pt.

But I'll trust those less. I don't want to force them to register a .PT; but if I have two shops with similar prices for the same products, I'll choose the one with the .PT domain.

On another note, if you wouldn't mind emailing me about some of those web shops in portugal, I would sure appreciate it. I have found it hard to locate shops in Portugal that will sell online.

Well, shops that sell what? For, e.g., PC components there's plenty of them [zwame.pt] , but I don't have a list for any kind of shop.

Re:Clearly what they need to do is just get ride T (1)

z_gringo (452163) | more than 4 years ago | (#32166794)

I was going to go into that in email, but basically, small electronics, books, DVDs and CDs.

Re:my first first post (2, Interesting)

bruno.fatia (989391) | more than 4 years ago | (#32149422)

I was actually testing a theory, that even if the first post is absolutely pointless, there are people that MUST post their replies to the first post. Most topics here have tons replies to the first post, even if its garbage.

Wow, you're fucking brilliant. (0)

Anonymous Coward | more than 4 years ago | (#32152612)

Nobody on /. has ever observed THAT before.

Clarify something for me... (4, Insightful)

AdmiralXyz (1378985) | more than 4 years ago | (#32148918)

From TFA:

Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.

Isn't that a good thing?

Re:Clarify something for me... (1)

Dragoniz3r (992309) | more than 4 years ago | (#32149012)

Depends on whether the global internet is impacted by the country's shenanigans.

Re:Clarify something for me... (1)

BitterOak (537666) | more than 4 years ago | (#32149072)

From TFA:

Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.

Isn't that a good thing?

Depends who you are. If you are running the global Internet, it's good. If you're running a local or national Internet, it's bad. Pretty much all technology is that way: potentially good for some, bad for others.

Re:Clarify something for me... (2, Insightful)

vlm (69642) | more than 4 years ago | (#32149128)

If you're running a censored local or national Internet that depends on injecting falsified DNS responses, it's bad.

Fixed that typo for you. Note that it has little to no interaction with IP-level blocking or "semitransparent" web proxies, don't worry, China can still oppress their subjects.

Re:Clarify something for me... (0)

Anonymous Coward | more than 4 years ago | (#32149114)

Since every corporation on the planet "sets up it own internet within its" campus it seem that the split must also be very bad for corporations. I guess ICANN employees can now be confident that ICANN can't censor their kiddie pron. ;-)

Re:Clarify something for me... (1)

ObsessiveMathsFreak (773371) | more than 4 years ago | (#32149382)

Not when a judge in East Texas starts blocking sites in other countries because he feels like it.

Re:Clarify something for me... (1)

hitmark (640295) | more than 4 years ago | (#32149996)

the net seems less unstoppable when one consider the "border" routers...

Re:Clarify something for me... (1)

Xenophon Fenderson, (1469) | more than 4 years ago | (#32154978)

Speaking as a U.S. national, I'll gladly take my chances in Marshall. At least with the Texan, there's Due Process and Separation of Church and State and the First Amendment and a ton of case law that supports a (generally) liberal democratic system. It isn't perfect, but it's a hell of a lot better than having the religious police or totalitarian oligarchs make civil rights judgments.

Re:Clarify something for me... (0)

Anonymous Coward | more than 4 years ago | (#32153558)

easy as pie:

from tfa: "Galvin explained that to be successful, DNSSEC would have to be implemented at first at the center of the Internet"

that sounds very competent to me.

Important information regarding ICANN and the DNS (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32148940)

Important information regarding ICANN and the whole DNS: http://88.80.21.12/The_rotten_and_corrupt_Domain_Name_System

Re:Important information regarding ICANN and the D (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#32148988)

Nice troll Boppo.

distributed solutions please? (4, Insightful)

alexandre (53) | more than 4 years ago | (#32149010)

Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts so country and trust their own servers with a great degree than outside ones...
But no, centralized control is much more fun in the eyes of politician who care more about guaranteeing their retirement than freedom for everybody.

Re:distributed solutions please? (0)

Anonymous Coward | more than 4 years ago | (#32149030)

"Another attempt to solve things in a hierarchical manner that should have been fixed with a p2p web of trust. Countries could then trust their own servers to a greater degree than outside ones..."

rather than:

"Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts so country and trust their own servers with a great degree than outside ones..."

(Bad foreign English day for me ;)

Hierarchy Matches The Reality Here (1)

billstewart (78916) | more than 4 years ago | (#32151662)

In this case, because the DNS is hierarchical, a hierarchical signature system is the right way to authenticate the names. You hand the registrar for ".com" your $6.00 and a public key, the registrar gives you a signed certificate saying you're the Official Owner of "example.com". That doesn't protect you from trademark suits by other people who say *they* should own the name "example.com", or from somebody handing the registry forged papers saying that they're the domain administrator for your company, and it doesn't protect random members of the public from assuming that your domain "example.com" belongs to the company "Best Examples Of North America, Ltd", and maybe those services are something that wants a web-of-trust solution or a hierarchical solution from some different hierarchy, but it's a way for anybody to verify that the IP address they just fetched belongs to the real owner of the example.com domain name and not some forger.

Now, just because there's an absolutely correct simple technical method for handling DNSSEC signatures, that doesn't mean that's how ICANN will choose to implement it, or that they won't also issue DNSSEC signatures to the winners of trademark lawsuits or to governments that want to forge IP addresses for websites, but that's a separate problem. If you're worried about that, you can use DNSSEC Trust Anchors [wikipedia.org] as a web of trust, and they've been in limited use while ICANN's been dragging their feet.

Re:distributed solutions please? (5, Funny)

Anonymous Coward | more than 4 years ago | (#32149040)

Your user ID (53) is not only very low, it is also the port number that dns queries are sent to.

Re:distributed solutions please? (0)

Anonymous Coward | more than 4 years ago | (#32149386)

He bought it off of E-Bay...

Re:distributed solutions please? (2, Funny)

jamesh (87723) | more than 4 years ago | (#32152834)

I sold it to him. It was getting too many connection attempts.

Re:distributed solutions please? (2, Insightful)

vlm (69642) | more than 4 years ago | (#32149098)

Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts

False dilemma. You can do both at the same time. BGP IP routing on the net overall is vaguely hierarchical in regards to whom pays for transit and whom peers for free, but is vaguely p2p web of trust in that the DFZ pretty much trust each other to share good routes, or at least folks trust each other at carrier hotels. Some carriers trust some of their customers so much they're practically peering, in that they don't filter their "customers" advertisements, some not so trusting. Whats more P2P than an IXP like MAE-EAST, MAE-WEST, etc, where you trust your BGP peers not to screw up (and they occasionally fail you, of course)

No, in this case hierarchical is correct (5, Insightful)

John.P.Jones (601028) | more than 4 years ago | (#32149150)

DNS names are hierarchical. Each TLD is granted authority to manage its subsequent names as it sees fit and so on. Any attempt to secure this system should mirror the authority of the names themselves. Each country can control the distribution and authentication of names within their own TLD and DNSSEC just provides the appropriate level of cooperation for any client to read and validate those signatures.

Decoupling the hierarchical nature of DNS from a separate authentication mechanism that didn't follow this grain would be needlessly complex and could result in ambiguous or inconsistent results.

Re:No, in this case hierarchical is correct (2, Insightful)

alexandre (53) | more than 4 years ago | (#32151274)

The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.

And yes, p2p usually implies a less than 100% reliability and you might get conflict of namespace or some such problem, but it usually gives users a fairer share in the network and makes the user a citizen instead of a consumer.

Though, this might not be so much of a "p2p vs hierarchical" problem as one of who can trust IANA/ICANN to do the right job globally...

What I'm advocating is just that the more distributed (and not decentralized!) the structure of the network is, the better it'll survive longterm totalitarian control.

Re:No, in this case hierarchical is correct (1)

marka63 (1237718) | more than 4 years ago | (#32151550)

The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.

Firstly, you can get domains for $0. I have one. I also have ones I pay for.

Secondly, there are real ongoing costs to be covered and the small costs associated with most parent domains are reasonable or do you expect to everyone to give you a free lunch?

Re:No, in this case hierarchical is correct (2, Interesting)

alexandre (53) | more than 4 years ago | (#32151792)

I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...

And I'm paying already to get connected, everything should be "intelligence at the border", I'm paying by offering others to use my CPU/RAM/Storage.
Do we really need Facebook/Google to centralize the net when we could all do it?

There is such of waste of computer resource!
And while we're at it, i wish more publicly owned fiber were built as a fair tunnel for ISPs to compete.

It's sad that the biggest super computer on earth are botnets, I just wish it was actually a voluntary citizen network instead...

Re:No, in this case hierarchical is correct (1)

marka63 (1237718) | more than 4 years ago | (#32151912)

I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

While cryptographic hash will identify things they leave a lot in terms of usability. <whatever>@<short>.freenet does not scale.

And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...

I once said to Jon, over lunch, we should get rid of GTLD's. There are very few GLTD's that are useful. That said GTLDs != DNS.

Re:No, in this case hierarchical is correct (1)

Lennie (16154) | more than 4 years ago | (#32152604)

"I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?"

What is really nice about the internet, you don't need domainnames to connect, you can connect with anyone from anywhere, usually, domainnames just make it easier to remember. And most systems which are connected to the internet have something which helps to keep an index. For example many people use something like Google to find websites. If your information is relevant to them, you don't need a domainname, Google will find it. You might need to submit a link to Google though.

Re:No, in this case hierarchical is correct (1)

alexandre (53) | more than 4 years ago | (#32155396)

Indeed, we can always use just IPs but that's loosing a lot of functionality. And google is definitely a worst alternative than the actual DNS system which is at least a bit decentralized :-)

Re:No, in this case hierarchical is correct (1)

dkf (304284) | more than 4 years ago | (#32154800)

I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

You also know jack shit about the trustability of the information on those systems. Sturgeon's Law applies. If you do something about that (e.g., through a reputation service) then you're setting something up as an authority.

Re:No, in this case hierarchical is correct (1)

alexandre (53) | more than 4 years ago | (#32155450)

Yes, and that's exactly the point, when using a web of trust multiple people, you choose yourself, become your authority and you can switch them when you feel cheated.

Right now i have to trust big banks or certificate authority to care for me ... I'd rather trust my family and friends. Of course you need time to construct all this but if everyone was to switch to such a system we'd all be setuped pretty quickly.

I'm not pushing for anything specific but just as Shneier talks about security as a process I really just want to push distributed system as a thought structure for future development to guarantee we can build security, privacy and distributed features into systems from the go as it can't be added as an after thought.

The whole idea is that if it doesn't work in a distributed manner, we can always group people together to form local authority, the reverse is impossible.

It's all about having a democratic network, that's all :-)

Re:No, in this case hierarchical is correct (1)

jonadab (583620) | more than 4 years ago | (#32167498)

> I didn't see anyone paying for namespace in p2p networks or on
> I2P/FreeNet/etc., maybe we don't need to have parent domains

Show me a peer-to-peer network that can provide each user (including users who don't have their own computer) with a globally-unique address to which anyone on the network can send a message, and it will be delivered to the right person. (In other words, email.) Show me a peer-to-peer network that's suitable for web-style publishing, wherein you make your content available and anyone on the network can look at it at any time just by knowing your address.

P2P doesn't work for everything. Some things need to be client/server.

Re:No, in this case hierarchical is correct (1)

jonadab (583620) | more than 4 years ago | (#32167464)

> The fact that you can't get a domain for 0$

Do you mean $0? But you *can* get a domain for $0. I have two of them at the moment, and have had others in the past.

You can't get a *top-level* domain for that, but you can't get a top-level domain at all, unless you meet the requirements, which are pretty steep. (The easiest way is to get yourself recognized as a sovereign nation and get a two-letter TLD. Longer ones are even harder to get.) This is a *good* thing, because DNS wouldn't really scale to everyone in the world having a top-level domain anyway. The root servers would never survive that.

So most of us take a subdomain. DNS was, after all, DESIGNED to be hierarchical, because it scales better that way. Subdomains *are* available free of charge, especially if you're not very particular about exactly which parent domain you're under.

That's the beauty of delegation: anyone who gets charge of a domain gets to set their own policy for handing out subdomains, and then you get to decide if you're willing to deal with them or not. Okay, so the people running .com want to charge you money for yourveryownsecondlevelname.com. You don't want to pay it? Hey, you can get yourthirdlevelname.provider.com for free. (The exact terms depend on which provider you get it from.)

Re:No, in this case hierarchical is correct (1)

alexandre (53) | more than 4 years ago | (#32168818)

Well, 0$ for Quebec, $0 outside of it ;-)

And if some services cannot be distributed (not that it would be impossible but I'm not arguing about a specific technical solution) than they must be governed globally in a democratic matter according to human rights and all... :)

Re:distributed solutions please? (1)

ducomputergeek (595742) | more than 4 years ago | (#32149198)

This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.

Re:distributed solutions please? (3, Interesting)

grcumb (781340) | more than 4 years ago | (#32149664)

This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.

I disagree with your diagnosis, but I agree wholeheartedly with your conclusion.

Having worked on the Internet since the early 90s, and having benefited from the massive ignorance of how the Internet works that pervaded business past the end of the decade, I feel it's more like business was able to characterise the symptoms but didn't understand the nature of the disease.

In the 90s, people talked a lot about Disruptive Technologies and (forgive me) Paradigm Shifts. They knew that early adopters reaped the greatest rewards, but beyond that they were more or less aimless.

I think of it as the difference between cleverness and intelligence. The people who actually built the Internet had vision, but only learned how to be clever over time. Businesses working on the Internet got clever first, but even today they're just barely beginning to develop a vision about what they want it to be.

Given that their vision resembles Iran- and China-style Internet more than anywhere else, I too find it a troubling one. I worry that some day I'll be the moral equivalent of an aged hippie, longing for the lost freedom of my youth....

DNSSEC is an arduous solution (3, Interesting)

rtp (49744) | more than 4 years ago | (#32149020)

It's a shame the market didn't go down the DNSCurve (http://dnscurve.org/) road before DNSSEC. DNSSEC as it is currently implemented presents a significant challenge for DNS admins as their job just got more complicated while the tools are still barely capable. BIND with DNSSEC enabled for signing zones and updating your upstream TLD isn't set-it-and-forget-it so I don't see widespread adoption until the implementations are solved with easy point-and-click, set-it-once solutions.

Signing yourdomain.com requires you and .com to perform a transaction (registrar will perform on behalf of .com) that must recur at some interval for KSK and ZSK updates.

Deploying DNSSEC in response to cache poisoning is a lot like deploying TSA to protect the airports. Taking your shoes off and putting toothpaste in a little plastic baggie are kludges.

Re:DNSSEC is an arduous solution (3, Insightful)

lukas84 (912874) | more than 4 years ago | (#32149070)

DNSSEC is okay, it's just BIND that sucks. There are several DNS appliance vendors that have fully automated DNSSEC already working. For that matter, the Windows DNS server also sucks on the same level as does bind.

PowerDNS will bring mostly-automated DNSSEC, but it's not done yet.

Re:DNSSEC is an arduous solution (2, Interesting)

rtp (49744) | more than 4 years ago | (#32149082)

What products are submitting keys upstream on change?

Re:DNSSEC is an arduous solution (1, Informative)

Anonymous Coward | more than 4 years ago | (#32149136)

DNSX Secure Signer by Xelerance Corporation. Disclaimer: I work for them. Google it.

Re:DNSSEC is an arduous solution (1)

pthreadunixman (1370403) | more than 4 years ago | (#32150532)

dnssec-signzone -d /etc/namedb/keys -o foo.domain /etc/namedb/master/db.foo.domain

It's clearly insanely difficult to sign your zone with BIND.

It never ceases to amaze me that people expect BIND to do thing outside its scope. Use a configuration management tool to manage BIND. Don't expect every product to include its own bloated incompatible management crap with yet another admin console that I have to load.

I use puppet to monitor changes to a centrally managed version controlled zone database that is automatically deployed and signed any time it is changed. Bad changes are automatically detected and reverted to a known good state via the version control repository. BIND works fine for those of us that know what we're doing.

Re:DNSSEC is an arduous solution (1)

marka63 (1237718) | more than 4 years ago | (#32151478)

You do realise that you don't need to run dnssec-signzone anymore to sign a zone?

All vendors DNSSEC tools are improving. Perhaps you should do some research before complaining? Remember DNSSEC really is still in the very early stages of deployment and usability will continue to increase.

Re:DNSSEC is an arduous solution (1)

pthreadunixman (1370403) | more than 4 years ago | (#32151604)

I wasn't complaining. Parent was complaining. Automatic zone signing only work on dynamic zones in 9.6 AFAIK. Might be different in 9.7.

Re:DNSSEC is an arduous solution (1)

marka63 (1237718) | more than 4 years ago | (#32151768)

I wasn't complaining. Parent was complaining.

Fair enough, though it wasn't clear.

Automatic zone signing only work on dynamic zones in 9.6 AFAIK. Might be different in 9.7.

How else to expect named to know it has change control on the zone? Remember all zones are dynamic. Just that there are different change mechanisms involved. Also just because it is dynamic that doesn't mean that anyone can change the contents. By using UPDATE named can update all the relevant records that are involved in a change. Yes, this is a change in how one does things but one that is for the better I believe.

Re:DNSSEC is an arduous solution (1)

pthreadunixman (1370403) | more than 4 years ago | (#32151802)

Not if you're using version control

Re:DNSSEC is an arduous solution (1)

marka63 (1237718) | more than 4 years ago | (#32151938)

You can still have version control and automatic re-signing. You just don't version control the master file that the name server uses. It's relatively
straight forward to make a tool that will take a unsigned master file and
generate a delta against the current signed zone contents and use that as the post commit action. The only thing that won't be consistent is the SOA serial.

Re:DNSSEC is an arduous solution (1)

secolactico (519805) | more than 4 years ago | (#32151556)

I use puppet to monitor changes to a centrally managed version controlled zone database that is automatically deployed and signed any time it is changed. Bad changes are automatically detected and reverted to a known good state via the version control repository.

Did you roll your own solution or used third party tools?

I'm about to inherit responsibility for several unrelated DNS servers and I'm trying to find a way to centrally manage them.

Re:DNSSEC is an arduous solution (1)

pthreadunixman (1370403) | more than 4 years ago | (#32151592)

puppetlabs.com

Re:DNSSEC is an arduous solution (5, Interesting)

Burdell (228580) | more than 4 years ago | (#32149270)

Put down the djb Kool-Aid. DNSCurve and DNSSEC do not address the same thing. DNSCurve is essentially SSL for DNS, which requires some way to establish trust with each server you talk to. Since end-users typically only talk to their ISP's recursive servers, that's not too much work, but it only protects the path from the ISP's servers to the end-users (which ISPs can typically protect themselves). DNSCurve does nothing to authenticate the DNS data itself. DNSSEC, on the other hand, authenticates the data at the source. If you look up foo.bar.com, that record can be signed in the bar.com zone, which has trust anchors in .com, which has trust anchors in the root. It doesn't matter who serves the record to you; you can be sure that the data is valid.

Some ISPs would prefer people to use DNSCurve and think DNS is secure, because it does nothing to protect the data. Those ISPs would still be able to change the results (e.g. all the NXDOMAIN web pages, URL redirects, etc. are still possible). That can't happen with DNSSEC and an authenticating resolver.

DNSSEC is not set-it-and-forget-it because true security requires maintenance. It isn't just a response to cache poisoning attacks, it addresses the security of the whole system.

Re:DNSSEC is an arduous solution (5, Insightful)

Kaboom13 (235759) | more than 4 years ago | (#32149974)

It's a sad state of affairs, but when you think about it, modern ISP's must be treated as a malicious and disruptive man in the middle attack when it comes to DNS. Not only do they constantly interfere in proper dns operation to run various scams, they do so blatantly and with no fear of recrimination. DNSSEC can't get here fast enough, I just hope ISPs don't start rewriting destination addresses to continue their abuse.

Re:DNSSEC is an arduous solution (0)

Anonymous Coward | more than 4 years ago | (#32150368)

I just hope ISPs don't start rewriting destination addresses to continue their abuse.

The moment they do *that* I will bring lawsuit for false advertising and request redress from the judge by way of specific performance.

Re:DNSSEC is an arduous solution (1)

characterZer0 (138196) | more than 4 years ago | (#32153574)

DNSCurve puts the public key in the DNS server name, so as long as you trust the roots, you could recursively resolve anything.

If you do not trust your ISP, do not use its DNS caches.

Re:DNSSEC is an arduous solution (1)

marka63 (1237718) | more than 4 years ago | (#32151524)

Signing yourdomain.com requires you and .com to perform a transaction (registrar will perform on behalf of .com) that must recur at some interval for KSK and ZSK updates.

Really? Splitting keys into KSK and ZSK keys was done so that you DON'T need need to contact the parent zone administrator to roll the keys that sign the zone content. You do need to contact the parent when you update the KSK's but that should be much less often than the ZSK's are changed.

Re:DNSSEC is an arduous solution (1)

Ethanol (176321) | more than 4 years ago | (#32161756)

DNSSEC and DNSCurve solve two different (though overlapping) problems. DNSSEC is about end-to-end authentication and validation: It strives to ensure that the data you received is the data the actual owner of a name server intended to send, unaltered by anyone along the way. DNSCurve is about ensuring a trustworthy connection between the authoritative name server and the resolver (and incidentally about encrypting queries, which is nice), but it doesn't do a thing to keep the resolver from lying to you. Man in the middle is a problem with DNS, as anyone who stays in hotels frequently can attest.

As for set-it-and-forget-it, if you use BIND 9.7 (on which, full disclosure, I was the lead engineer), it comes pretty close. If you don't roll keys, it can maintain itself forever, and you can roll ZSK's with a cron job. Rolling KSK's still requires operator intervention in most cases. (But rolling keys is optional; people with higher security needs will want to do it often, but low-value targets can get away with doing it infrequently or never.)

One For All and All For One is best for US, EU... (1)

OldHawk777 (19923) | more than 4 years ago | (#32149338)

Is it better for one to control all, all to control one, none to control all, or all to control none?

As any solution, provide sustenance that grows value, not malice and malevolence. it is better not to consider control ever.

PreDNS-IPv4, DNS, DNSSec... One for all must be all for one, because institutional/national evil lurks behind every wall for everyone.

China, Clerics, C*Os, and some others seek global economic domination with in hall mazes behind stalinist/maoist walls.

I suspect, where DNS splits occur, it will be for nazi/fascist, religion/dogma, and/or faux-capitalism/corporate-welfare governance. "The People" will be like North Korean citizens (eventually without food, shelter, rights... as goes Iran).

A Nation of "The People" has all the rights, the government/institution is never the nation and should never have rights.

It is all about "The People" and civil rights.

And this is a problem ... why? (2, Insightful)

geekgirlandrea (1148779) | more than 4 years ago | (#32149852)

I'm really not seeing much of a downside here. The greatest feature of public-key cryptography is its potential to undermine the state's ability to interfere with communications.

Re:And this is a problem ... why? (0)

Anonymous Coward | more than 4 years ago | (#32150432)

I'm afraid not. The root authorities are vulnerable to federal mandate to surrender the root keys, allowing arbitrary man-in-the-middle re-routing and DNS manipulation. Verisign, for example, has demonstrated their lack of reliability handling .com numerous times, so there's little reason to think they'd properly resist such manipulation.

Re:And this is a problem ... why? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32150786)

Every domain has it's own key, and you find a trusted or semi trusted way to get the keys you really care about.

If something is signed with a key you don't trust there is no need to trust that key.

Even simply doing what ssh does and caching the keys of places you have been should be enough to thwart attacks from all but the most industrious.

Np problem! (0)

Anonymous Coward | more than 4 years ago | (#32152268)

We (the 'rest of the world') simply need to enforce the sovereignty of the Internet against any attempts at censorship. Give censoring states a few days to stop their malicious activities or face losing connectivity. If they don't comply (which I suspect they won't) simply cut them off the net once and for all.

Let them whine and bitch all they want. Censorship just isn't acceptable.

Maybe they'll grow up and become ready to join in the international community of free information... If not, just let them rot in their own swamp of ignorance and stupidity.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?