Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security The Internet IT Technology

The DNSSEC Chicken & Egg Challenge 77

Posted by CmdrTaco from the not-tonight-i-have-a-headache dept.
wiredmikey writes "To begin DNSSEC implementation or not: that is the question facing a host of enterprises, notably any that engage in e-commerce or online financial transactions (online retailers, banks, investment firms, hospitality and travel, etc.). These businesses find themselves in a catch 22; there are obvious security benefits to adopting Domain Name System Security Extensions or DNSSEC, but there are some severe downsides to being too early in the adoption curve – downsides that are becoming more and more apparent every day. While DNSSEC is getting rave reviews for successful deployment at the foundation levels of the DNS, problems are lurking just ahead, since very few widely utilized end-user applications are able to actually utilize DNSSEC at all. Simply put, DNSSEC can only work if it is supported throughout the hierarchy from publisher to visitor..."
This discussion has been archived. No new comments can be posted.

The DNSSEC Chicken & Egg Challenge More

The DNSSEC Chicken & Egg Challenge

Comments Filter:

  • Re:Wow!! (Score:5, Interesting)

    by Monkeedude1212 ( 1560403 ) on Monday December 20, 2010 @01:57PM (#34617826) Journal

    It's funny because that's not even the case here - they claim its not so much that "everyone" needs to be in on it, just "everyone" vertically speaking for their system, not necessarily the wide web.

    While DNSSEC is getting rave reviews for successful deployment at the foundation levels of the DNS, problems are lurking just ahead, since very few widely utilized end-user applications are able to actually utilize DNSSEC at all

    So basically: It works. But the features of it don't work if the application layer doesn't attempt to utilize it.

    It doesn't seem to have any reason to NOT implement it, assuming you do it properly you won't have any negative effects. Like mucking around with your DNS Server anyways, if you don't know what you're doing you're likely to mess it up whether you are trying to setup DNSSEC or not. So really, there's nothing stopping anyone from implementing it - just their own laziness or fear of screwing up a working system (much like the delay in implementing IPv6).

    I don't see the "Downsides" they really try to perpetuate though. They make it sound as though properly implementing DNSSEC is going to cause a rapid dropoff in sales if you attempt to deploy it before the rest of the market. Not true.

  • It's all being worked on (Score:5, Interesting)

    by Effugas ( 2378 ) * on Monday December 20, 2010 @02:36PM (#34618434) Homepage
    DNSSEC is an infrastructure shift, and you can't use it on .com domains for another few months. Have some patience.

    At Black Hat this year, I actually demonstrated the endgame. Want federated authentication in OpenSSH that actually scales? Want servers able to autogenerate TLS keys that will be recognized and secured worldwide, even against broken certificate authorities?

    Want secure email, without the mess that is PGP key management?

    End to end secure key management via DNSSEC makes it all actually really easy. Code is here -- BSD licensed, feel free to play:

    http://dankaminsky.com/phreebird

    Also, I'm putting together a set of diaries on the subject:

    http://dankaminsky.com/2010/12/13/dnssec-ch1/

    Enjoy!

Slashdot Top Deals

With your bare hands?!?

Close