On 9/12/13 7:24 AM, "Theodore Ts'o" <tytso@xxxxxxx> wrote: >On Wed, Sep 11, 2013 at 03:38:21PM -0400, Phillip Hallam-Baker wrote: >> > I disagree. DNSSEC is not just DNS: its the only available, >>deployed, and >> > (mostly) accessible global PKI currently in existence which also >>includes a >> > constrained path of trust which follows already established business >> > relationships. >> >> Except that virtually nobody uses DNSSEC and most of the registrars >>don't >> support it. > >More importantly, what problem do people think DNSSEC is going to >solve? > >It is still a hierarchical model of trust. So at the top, if you >don't trust Verisign for the .COM domain and PIR for the .ORG domain >(and for people who are worried about the NSA, both of these are US >corporations), the whole system falls apart. > >And even if you believe Verisign and PIR are a paragons of virtue >which are incorruptible (even when in a dark room when no one can see, >as the old Chinese saying goes), what about all of the registrars? There are vastly different aspects to trust in PKI vs DNSSEC, specifically about trust vs validation. In this context, "validation" means, having the domain owner verify that the DNSSEC and DNS records for their domain, reflect reality. In order to subvert or redirect a delegation, the TLD operator (or registrar) would need to change the DNS server name/IP, and replace the DS record(s). This would be immediately evident to the domain owner, when they query the TLD authority (delegation) servers. In other words, "trust but verify" is an intrinsic part of DNSSEC, regardless of where in the (trusted) hierarchy delegation occurs, or which parties are involved in updating the delegation components. DNS can't scale without delegation and caching. With DNSSEC, all of these elements support scalable, secure verification and validation. The ability to monitor this in real time, at centralized locations (TLD authority servers) scales very well and comes as close to a guarantee of verifiable security as is practical. On the other hand, a domain owner currently has no feasible way to determine that a PKI certificate has been issued for its domain (or any host in its domain), by any CA other than the CA that issued the "real" certificate. PKI certificates are tied to names, not IP addresses, and are not published anywhere. Thus, there is no method, short of querying every web server, BY NAME, via HTTPS, on the planet, to actively detect "forged" certificates. If DNSSEC is not used to protect the domain, having a forged certificate and poisoning DNS caches is all an attacker needs to do - or being a MitM, which removes the need to poison the cache. Brian