I hide nothing from you: I kicked back this Friday night. I slacked off. Now it’s Saturday at 2am and I’m finally getting to this. But, you all read this in the morning anyway so it really doesn’t matter much, right? (If I’m wrong I’ll surely hear in the comments)
Let’s start with a widely reported but badly reported story: DNSSEC. This is a framework for the Domain Name System (the framework for translating from hostnames such as www.redstate.com to IP addresses, which are the actual addresses used on the Internet). The system is akin to SSL for domains. Verisign will manage it for the Commerce Department and create a single “Root Key” which is then used to create certificates for domains, which will then be used to make sure your a domain’s DNS records are legitimate.
In my estimation, it’s just a big boondoggle for [Verisign] to get more customers. The vast majority of domains won’t be able to be secured by it, because Verisign is going to have a monopoly and will charge accordingly. This will only affect big businesses transacting large amounts of money, and they’re already secured against DNS-based attacks. If they’re smart they are, anyway.
What DNSSEC does that is bad, however, is create a new point of failure for the Internet, because there are 7 key holders which control escrowed access to the root key. If 3 of them lose the keys, the entire system will have to be re-keyed at expense and inconvenience to all, as pointed out by George Ou.
Continue reading »