[arin-ppml] DNSSEC
Joe Baptista
baptista at publicroot.org
Wed Sep 3 22:04:18 EDT 2008
On Wed, Sep 3, 2008 at 12:30 PM, John Curran <jcurran at istaff.org> wrote:
> Mr. Mitchell -
>
> While perhaps not the ideal place, asking the PPML mailing list
> certainly works.
>
> The topic has not been discussed at before the ARIN membership, but the
> ARIN
> Board has discussed this topic and has directed staff to make
> those preparations
> necessary for signing those reverse zones contained in-addr records
> for space
> under ARIN's administration. Note that the actual effectiveness in
> security that
> results is rather limited until both .arpa and the DNS root zone are
> also signed.
>
I think the U.S. Government should be congratulated on its use of DNSSEC to
secure the zone. It's a bold experiment, if not an act of faith to use the
USG .gov to test an untested experimental protocol. Tip of my hat to you
all on that.
But I nor the world is convinced we want to be a part of it. First imho
DNSSEC is a colossal fraud. 1) It does nothing to secure the DNS (any
kiddie with a bot net can crack it - so can governments, military and large
corporations that have the resources to do it), 2) it remains vulnerable to
man in the middle attacks, and 3) incurs significant costs on infrastructure
maintenance.
But the most repulsive aspects of DNSSEC is what I suspect is its true
purpose is to take over control of the technical function of root. The
whole scheme is based on chains of trust up the dns tree right to the root
that has full control over the signatures. This is a lot of power to give
to the gruesome thirteen.
http://www.root-servers.org/
Obviously the U.S. Government trusts these people to run the root. I do
not. Neither does the Chinese Government or any government that has been
properly briefed on the control aspects behind DNSSEC.
Stu if I may make a presumptive suggestion. When your boys at the USG
figure out DNSSEC is not up to snuff in the security department may I
suggest you start today investigating the operation of a secure system using
the following technology:
http://dnscurve.org/
I've also included some slide show documentation for you to read on it.
enjoy
joe baptista
> On Sep 3, 2008, at 11:01 AM, Stu_Mitchell at ios.doi.gov wrote:
>
>
> Hello,
>
> Pardon me, if this isn't the right place to ask....
>
> OMB issued OMB memo 08-23, which requires federal agencies to deploy DNSSEC
> to the second level domains under "dot gov" by December 2009. I was
> wondering about the reverse records. Are there plans to sign the reverse
> domains?
>
> Thanks
>
> Stu Mitchell
> Dept. of the Interior
>
>
>
--
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20080903/5dcf9447/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DNSCurve-presentation-guide-slides-1.pdf
Type: application/pdf
Size: 91723 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20080903/5dcf9447/attachment.pdf>
More information about the ARIN-PPML
mailing list