Here we are 20-odd years into the commercial internet and just now getting around to deploying Secure DNS (DNSSEC). The internet’s domain name service (DNS) is the lizard-brain of the internet, connecting numerical IP addresses to human-recognizable names. In theory, the hardened domain name service will use strong cryptography to secure and authenticate email and ecommerce. In practice, we’ll see.
Traditionally, reliable communications were a top-priority network responsibility with security left in the hands of individual nodes on the network. I’m a much stronger supporter of decentralized security that is in the hands of individuals than I am of centralized security that’s out of our individual control and tosses reliability aside as an externalized expense.
John Markoff, reporting for the New York Times, writes, “The technology is viewed by many computer security specialists as a ray of hope amid the recent cascade of data thefts, attacks, disruptions and scandals, including break-ins at Citibank, Sony, Lockheed Martin, RSA Security and elsewhere.” I know better and I know Markoff knows better. We both were around during the Clinton administration when RSA’s cryptography was thought to be much too strong for ordinary civilians and the Clinton administration wanted it kept in a box.
I’m wary of the idea behind Secure DNS. It will be used to tie identity to physical internet addresses. To my way of thinking, the current digital certificates authenticated by a trusted third party—or even self-signed in most cases—coupled with strong, public-key cryptography (with the keys held locally) are “good enough.” I’m not sure I want my identity tied, irrevocably, to a specific internet address. The headline-making security breaches that seem to be happening on an almost daily basis are almost universally related to human failures, not certificate failures.
Moreover, voice-over-IP applications will likely benefit the most from Secure DNS, and the general belief is that it will make possible phone calls over the internet that can’t be intercepted or eavesdropped upon. That’s, of course, nonsense.
On the other hand, if Secure DNS is implemented solely as a way of adding security to the existing domain name system, that’s an overall good thing. DNS cache poisoning and domain spoofing would disappear overnight because all answers to DNS queries would be digitally signed and authenticated against an authoritative source. But doing just one overall good thing is just not in the nature of committee work.
0 responses. Comments closed for this article.