Re: [ga] IPETEE - forget DNSSEC

["Joe Baptista" <baptista@xxxxxxxxxxxxxx>]

On Mon, Jul 14, 2008 at 9:37 AM, JFC Morfin <jefsey@xxxxxxxxxxxxxxxx> wrote:


> As far as I undertsand it only means that all the TLDs are protected by a
> key delivered by a central key per root. If there are several roots being
> supported there are different sets of keys: I am see no problem there.
>

No it is a problem.  The issue is in the chain of trust.  In order for
DNSSEC to work properly it requires that the zones public key be signed by a
higher authority.  That signed key is then added to the zone.  So by means
of example foo.edu send its public key to .edu which signs the key with
their private key and then returns it to foo.edu which then publishes it to
the zone.

Now maybe it can be done.  I see lots of problems with it.  But no one has
experimented with adding DNSSEC to a non IANA root.  What ICANN these days
is calling competing roots.  Which is somewhat flattering they now consider
us competition.

Joe, what is necessary is to rewrite all the Internet documentation as an
> maintained Open Norms Standard and Document reference book + open source
> software apporved by the @large community. Would you be interested working
> on it?
>

I would only be interested if their was a budget.  Open standards are great
but you need a fairly good sized knowledgeable community to make it work.
There are too few of us who actually known the ins and outs of the tech,
historical and political aspects associated with all this.  Most of those
people are busy - so its hard to get volunteers who know what they are
doing.

It is a good project for a company or individual who wants to invest in the
nets future.


> What is the problem that Bernstein solved and how ?
>

The problem is and has always been that ports used in DNS lookups were not
properly randomized.  So its easy for evil hackers to guess the port by
means of a brute force attack.  Bernstein randomized the ports.  So its much
harder to guess the port being used.

Incidentally - I don't expect DNSSEC to take off.  Almost every year they
come up with a new scare mongering tactic to get DNSSEC in the news.  And it
never takes off.  The problem with DNSSEC is that it is so complicated and
the maintenance overhead so large it becomes a burden to incorporate for
either small or large scale enterprises.

If you want a secure recursive resolver - just install Bernstein's DNS
servers.

regards
joe baptista

-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084