DNSSEC will kill any meaningful future work in DNS security, but like I keep saying, I'm not anti-DNSSEC because I'm pro-DNSCurve; I just think DNS security is a stupid problem. Draw a layer diagram of TCP/IP up through HTTPS. Somewhere on that diagram you have to draw a line and say "below this line we're not going to attempt cryptographic security". That's not a new insight; it's basically the core argument of Saltzer-Reed-Clark, the foundational design paper for the Internet.
I tried to keep my issues with DNSSEC terse and clean here:
* It does create a new government-controlled PKI, which some people will depend on, to the detriment of safety and privacy.
* It's a cryptographically weak protocol designed by 90s-non-cryptographers.
* It breaks applications, as 'peterwwillis has been pointing out here for days.
* It's so expensive to deploy that Cloudflare is the biggest news to happen to it in 21 years.
* It doesn't protect browser lookups.
* It doesn't encrypt DNS requests and, in fact, actually forces sites to reveal more about their hosts than normal DNS does.
* Like I said up top, it's architecturally incoherent in a way that the End to End paper actually used as its motivating example all the way back in 1981.
I have spent a lot of time over the past 10 years arguing with people about DNSSEC. I'm not just making random stuff up in HN threads about this. You're probably not going to "gotcha" me on any of this.
Without the proposition "Once we deploy it, any notion of solving the problem correctly dies", which you seem to repudiate here, much of the sound and fury on HN in recent days would evaporate.
People doing dumb shit on the internet is typically not a problem for me, so while the end-to-end argument suffices to dismiss DNSSEC as worthy of investigation, I remain confused by all the attention drawn to this. If it's all a CloudFlare marketing stunt, has no one heard of the Streisand Effect? If it's all an NSA email-reading effort, why don't they just keep reading our email in the same fashion they already do? Confusing...
I vigorously disagree that the "sound and fury" on HN is about DNSSEC sucking all the oxygen out of the DNS security problem. It is on its face a PKI that gives control over .COM keys to the NSA.
DNSSEC will kill any meaningful future work in DNS security, but like I keep saying, I'm not anti-DNSSEC because I'm pro-DNSCurve; I just think DNS security is a stupid problem. Draw a layer diagram of TCP/IP up through HTTPS. Somewhere on that diagram you have to draw a line and say "below this line we're not going to attempt cryptographic security". That's not a new insight; it's basically the core argument of Saltzer-Reed-Clark, the foundational design paper for the Internet.
I tried to keep my issues with DNSSEC terse and clean here:
http://sockpuppet.org/blog/2015/01/15/against-dnssec/
They are:
* It doesn't solve an important problem.
* It does create a new government-controlled PKI, which some people will depend on, to the detriment of safety and privacy.
* It's a cryptographically weak protocol designed by 90s-non-cryptographers.
* It breaks applications, as 'peterwwillis has been pointing out here for days.
* It's so expensive to deploy that Cloudflare is the biggest news to happen to it in 21 years.
* It doesn't protect browser lookups.
* It doesn't encrypt DNS requests and, in fact, actually forces sites to reveal more about their hosts than normal DNS does.
* Like I said up top, it's architecturally incoherent in a way that the End to End paper actually used as its motivating example all the way back in 1981.
I have spent a lot of time over the past 10 years arguing with people about DNSSEC. I'm not just making random stuff up in HN threads about this. You're probably not going to "gotcha" me on any of this.