惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
博客园 - 三生石上(FineUI控件)
月光博客
月光博客
F
Full Disclosure
C
Check Point Blog
雷峰网
雷峰网
WordPress大学
WordPress大学
Vercel News
Vercel News
The GitHub Blog
The GitHub Blog
博客园 - Franky
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
Martin Fowler
Martin Fowler
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
MyScale Blog
MyScale Blog
M
MIT News - Artificial intelligence
IT之家
IT之家
博客园 - 聂微东
L
LangChain Blog
博客园 - 司徒正美
博客园_首页
云风的 BLOG
云风的 BLOG
L
LINUX DO - 最新话题
Jina AI
Jina AI
Latest news
Latest news
L
LINUX DO - 热门话题
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
B
Blog RSS Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Palo Alto Networks Blog
T
Tor Project blog
Microsoft Azure Blog
Microsoft Azure Blog
T
Tenable Blog
爱范儿
爱范儿
T
The Exploit Database - CXSecurity.com
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
S
Securelist
F
Fortinet All Blogs
AWS News Blog
AWS News Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Security Latest
Security Latest
J
Java Code Geeks
T
Threatpost
The Register - Security
The Register - Security
G
Google Developers Blog
Know Your Adversary
Know Your Adversary
T
Tailwind CSS Blog

Quarrelsome

Be Coachable Is Extended Random A Malicious NSA Plot? Starfighter, Summer 2015 Checksums, MACs, and Signatures The Hiring Post Against DNSSEC A Liquid Nitrogen Cocktail Party You Don't Want XTS How To Safely Generate A Random Number Applied Cryptography Engineering
14 DNS Nerds Don't Control The Internet
Quarrelsome · 2016-10-27 · via Quarrelsome

You’re reading this page because you’ve suggested that “14 people control the Internet through the DNSSEC root keys”. If you’re unlucky, you might be a journalist preparing a story about those people. Stop!

DNSSEC doesn’t do anything. Dramatic ceremonies notwithstanding, if the secret DNSSEC keys leaked on Pastebin tomorrow, it’s unlikely that anything would break.

Practically all commerce on the Internet happens without DNSSEC. Web browsers don’t support it. or DANE, the DNSSEC-based replacement for certificate authorities. Most DNS domains don’t either. If you log in to your online banking and wire money to Transnistria, no DNSSEC will happen.

Maybe you have a source suggesting otherwise. Ask them to be specific. For instance: of the 5 largest US banks, which of them are enrolled in DNSSEC? After reading this, I’ll bet you can guess the answer. Are the banks just stupid? No: they have some of the best security teams in the world, and they think DNSSEC is a bad idea.

Isn’t it a big deal that the Internet’s DNS lookups are protected? Nope. The architects of the web’s security protocols assumed that the DNS would be insecure. When technologists discuss “certificates” and “certificate authorities”, (and “HSTS” and “HPKP” and I can go on but I won’t) they’re talking about cryptography built to work around the insecure DNS. The Internet works fine without DNSSEC.

Of course, this pretty much has to be true. .COM didn’t support DNSSEC until Spring 2011. Global commerce migrated online many years before that. If DNSSEC is so important, how did this stuff work before 2011?

If DNSSEC is so pointless, why do people care about it so much?

A funny thing happened between 1994 and 2011, while the IETF worked furiously to design DNSSEC: we figured out how to secure the Internet without securing the DNS. The market moved faster than the standard, and the standard was left struggling for a reason to exist. Hundreds of people have invested their reputations in DNSSEC and are loathe to see it fail. That’s unfortunate. But it’s also one of the oldest stories in technology standards.

There’s a real story in DNSSEC, but it’s not a happy one. To justify DNSSEC, standards groups hatched a plan to move the web’s security certificates into the DNS. With a secure DNS, the logic went, we’d no longer need to pay certificate authorities for SSL certificates. This scheme is called DANE.

DANE gives the power to create security certificates to whoever controls the DNS. The cryptographic keys in those certificates are an obstacle to government-sponsored dragnet surveillance. With DANE, guess who controls the certificates? Had DANE been deployed while he was alive, Muammar Gadaffi would have controlled the keys for BIT.LY. For GOOGLE.COM and APPLE.COM, that’d be the United States Government.

DNSSEC is the world’s most ambitious key escrow scheme: a backdoor that hands over control of Internet cryptography to world governments. Thankfully, it’s also a total market failure. We should hope it stays that way.

You can read more ominous DNSSEC nerdery here.