The DNSSEC Chicken & Egg Challenge 77
wiredmikey writes "To begin DNSSEC implementation or not: that is the question facing a host of enterprises, notably any that engage in e-commerce or online financial transactions (online retailers, banks, investment firms, hospitality and travel, etc.). These businesses find themselves in a catch 22; there are obvious security benefits to adopting Domain Name System Security Extensions or DNSSEC, but there are some severe downsides to being too early in the adoption curve – downsides that are becoming more and more apparent every day. While DNSSEC is getting rave reviews for successful deployment at the foundation levels of the DNS, problems are lurking just ahead, since very few widely utilized end-user applications are able to actually utilize DNSSEC at all. Simply put, DNSSEC can only work if it is supported throughout the hierarchy from publisher to visitor..."
Re:Wow!! (Score:5, Interesting)
It's funny because that's not even the case here - they claim its not so much that "everyone" needs to be in on it, just "everyone" vertically speaking for their system, not necessarily the wide web.
While DNSSEC is getting rave reviews for successful deployment at the foundation levels of the DNS, problems are lurking just ahead, since very few widely utilized end-user applications are able to actually utilize DNSSEC at all
So basically: It works. But the features of it don't work if the application layer doesn't attempt to utilize it.
It doesn't seem to have any reason to NOT implement it, assuming you do it properly you won't have any negative effects. Like mucking around with your DNS Server anyways, if you don't know what you're doing you're likely to mess it up whether you are trying to setup DNSSEC or not. So really, there's nothing stopping anyone from implementing it - just their own laziness or fear of screwing up a working system (much like the delay in implementing IPv6).
I don't see the "Downsides" they really try to perpetuate though. They make it sound as though properly implementing DNSSEC is going to cause a rapid dropoff in sales if you attempt to deploy it before the rest of the market. Not true.
It's all being worked on (Score:5, Interesting)
At Black Hat this year, I actually demonstrated the endgame. Want federated authentication in OpenSSH that actually scales? Want servers able to autogenerate TLS keys that will be recognized and secured worldwide, even against broken certificate authorities?
Want secure email, without the mess that is PGP key management?
End to end secure key management via DNSSEC makes it all actually really easy. Code is here -- BSD licensed, feel free to play:
http://dankaminsky.com/phreebird
Also, I'm putting together a set of diaries on the subject:
http://dankaminsky.com/2010/12/13/dnssec-ch1/
Enjoy!