A Case Against DNSSEC

[-ed: Some day soon, I will finish this.]

Hi. I’m Thomas Ptacek. I’m a security researcher and I don’t like DNSSEC, the protocol that the IETF Standards Body is promoting to “secure the Internet’s Domain Name System”. So I’m writing a series of posts about it, explaining:

  • why DNSSEC doesn’t solve real security problems,

  • why DNSSEC is too complicated to deploy,

  • why DNSSEC breaks promises the Internet made to applications, and

  • why DNSSEC is a waste of otherwise valuable effort.

At the end of this series, I want you to think that the recent story about the US Department of Homeland Security “hijacking” the DNSSEC root signing key is a nontroversy, that you should be a lot more concerned with the IETF DNSEXT working group than with Verisign or the US Government, but that that’s OK, because the security mechanisms Open Source software have already given us are more than enough.

I also want you to think that your quality of life will be worse, even taking the Russian Mafia into account, after DNSSEC becomes a reality.

Or, at least, I want you to understand why I think that.

This is an argument broken into 6 parts. It’s taking me a while to write! Here’s where we’re at so far:

  1. Opening Statement (Conversational)

    DNSSEC is the case that they gave me. An abbreviated version of all of the arguments I’m making in detail later.

  2. DNSSEC Solves A Non-Problem (Illustrated)

    Three open cryptographic security schemes —- SSL, GPG, and SSH —- why they’re much better than DNSSEC, why they don’t need DNSSEC to work, and why you’d still need them even after DNSSEC.

  3. DNSSEC Is Too Complicated To Deploy (Illustrated)

    Don’t know much about how DNSSEC works? I hope you will after this article, even if it does leave you with a queasy feeling at the pit of your stomach.

  4. DNSSEC Breaks The Internet (Coming Next Week)

    The End-to-End Argument, why it defines everything that’s good about the Internet, and how DNSSEC trashes it by making application’s security decisions for them.

  5. DNSSEC Is A Waste Of Effort (Coming Next Week)

    It took more than 13 years to standardize DNSSEC. What could we have accomplished in that time instead?

  6. Closing Statement (Coming Next Week)

    Are you convinced? We’ll find out.

You could wait for me to finish this series. But it’ll take you a while to read what’s already there, and if you don’t know much about DNSSEC now, you will after you’re done.

And please, let me know what you think!

Next

Who We Are

Matasano is a team of internationally respected security experts who have led security efforts at @stake, Microsoft, ISS, Secure Computing, Arbor Networks, Secure Networks, Bloomberg, Sandia Labs, and others. Read more about our team and how we can help you today.