On Thu, 12 Sep 2013, Theodore Ts'o wrote:
More importantly, what problem do people think DNSSEC is going to solve? It is still a hierarchical model of trust. So at the top, if you don't trust Verisign for the .COM domain and PIR for the .ORG domain (and for people who are worried about the NSA, both of these are US corporations), the whole system falls apart.
Any co-ercing that happens has to be globally visible, if the target ensures he is using "random" nameservers to query for data. This should be detectable, and I hope that high value domains (like eff.org) ensure that they are monitoring DNS answers to see if any forged-with-private-key answers are seen in the wild. (eg RIPE Atlas?) Once we have proof of that, we can ponder about how to cut the US Government out of our DNS roots. (sadly, eff.org is still not signed and has no TLSA record. Likely due to their registrar not supporting it, but at least they could do DLV)
And even if you believe Verisign and PIR are a paragons of virtue which are incorruptible (even when in a dark room when no one can see, as the old Chinese saying goes), what about all of the registrars? Their dynamic with their users and the market is the same as with CA's --- the market virtually guarantees a race to the bottom in terms of quality and prices. So beyond replacing names like "Comodo" with "Go Daddy", what benefit do you actually think would accrue? You'll still be dealing with a self-service security model, probably using e-mail based password recovery.
As Tony said. You can pick a non-bottom one.
Basically, DNSSEC maps almost identically to the previously unsolved problem.
Not at all - targetted attacks with CAs are easy. Unlike with DNSSEC. Furthermore, TLDs could institute a delay mechanism with respect to updating KSK/DS record so a compromised Registrar requesting an updated DS won't come into effect immediately, and the Registrant has time to react. Paul