On Wed, Sep 11, 2013 at 03:38:21PM -0400, Phillip Hallam-Baker wrote: > > I disagree. DNSSEC is not just DNS: its the only available, deployed, and > > (mostly) accessible global PKI currently in existence which also includes a > > constrained path of trust which follows already established business > > relationships. > > Except that virtually nobody uses DNSSEC and most of the registrars don't > support it. More importantly, what problem do people think DNSSEC is going to solve? It is still a hierarchical model of trust. So at the top, if you don't trust Verisign for the .COM domain and PIR for the .ORG domain (and for people who are worried about the NSA, both of these are US corporations), the whole system falls apart. And even if you believe Verisign and PIR are a paragons of virtue which are incorruptible (even when in a dark room when no one can see, as the old Chinese saying goes), what about all of the registrars? Their dynamic with their users and the market is the same as with CA's --- the market virtually guarantees a race to the bottom in terms of quality and prices. So beyond replacing names like "Comodo" with "Go Daddy", what benefit do you actually think would accrue? You'll still be dealing with a self-service security model, probably using e-mail based password recovery. Sure, authenticating DNS queries when previously they were completely insecured is a good thing. And if the PKI infrastructure for DNSSEC is different from that of x509 certificate, maybe that increases the difficulty a little for the attacker. But I get really worried when people say that DNSSEC is somehow going to magically solve the PKI problem. Basically, DNSSEC maps almost identically to the previously unsolved problem. - Ted