Fixing the holes
Like the roof on my house, the DNS has holes. A really bad DNS hole got patched earlier this year – well, mostly patched. I say “patched”, because the solution isn’t very good, it’s just dried up the worst of the problem, but the fix won’t last.
Kim Davies of IANA has written a very readable account of the problem in DNS security. It makes for scary reading. The bad guys will get control of the Internet unless we deal to this problem.
I have bitten the bullet and agreed to have a new roof on my house. Just patching the old one won’t keep the water out any more – it just comes through another place every time it rains. The DNS needs a new roof as well, and it’s called DNSSEC. It will involve lots of Internet folk in real work, but we need to get on with it.
Who do we trust with the root keys? Should the power go to an outfit that answers to the US Commerce Department? To the UN? Who?
Is there a way to spread the trust, so no single entity has ultimate power over it all?
Comment by Lawrence D'Oliveiro — 19 November 2008 @ 12:22 pm
Lawrence
While these are all good questions, there is unlikely to be consensus about the answers. And just doing nothing isn’t an option. So, we need to find a way through this quickly without endless debate.
Colin
Comment by colin — 19 November 2008 @ 6:10 pm
I absolutely reject the need for haste on this. The two main killer apps on the Internet are e-mail and the Web. The Web has TLS/SSL, which protects against DNS holes. E-mail leaks like a sieve anyway, and a secure DNS isn’t going to help with that.
Other protocols that depend on security, like SSH, also have their own protections. So where, really, is the pressing need for a secure DNS/
Comment by Lawrence D'Oliveiro — 20 November 2008 @ 4:55 pm