from Hacker News

DNSSEC surpasses 50% of root domains

by seky on 1/24/14, 1:01 PM with 50 comments

  • by tptacek on 1/24/14, 3:27 PM

    No, 50 of the root domains now support DNSSEC. Nothing resembling 50%, 5%, or .5% of the Internet uses DNSSEC. Nor will it ever.

    DNSSEC is a bad idea. It provides very little value. It drastically complicates the Internet. It bakes the worst part of TLS --- the static tree PKI --- into the core design of the Internet... and then gives the root of the tree to the US government. It's clunky, it uses antiquated crypto (its proponents have been trying to standardize it since 1995), and it leaks your private hostnames to the Internet.

    I can go on and on and on. Instead, here's some older posts I've written about it:

    https://news.ycombinator.com/item?id=5571937

    https://news.ycombinator.com/item?id=4071178

    https://news.ycombinator.com/item?id=2932378

  • by zdw on 1/24/14, 2:22 PM

    DNSSEC basically has all the problems of SSL registrars with almost no user-facing of the benefits - it's still a centralized system that could be overridden by a registrar hack or state level strong-arming, and very few end user systems support actually doing anything when DNSSEC signed records don't verify.

    If you think users are confused by SSL warnings now, how the heck would they understand similar errors at the DNS resolver level?

    Also, there's no-in flight encryption, so it offers no privacy benefit. It also aggravates DNS amplification attacks.

    The better technology to look into if you're concerned about individual user rights and privacy is DNSCurve: http://dnscurve.org

    It's not comparable to DNSSEC other than "It uses crypto with DNS" - they have entirely different goals, but the goals it solves are much more relevant to end users (privacy, forgery, etc.).

    Personally, I'd recommend people run both techs, as there's no technical reason that makes them incompatible.

    I have no idea how to solve the UI problems. We've had 15+ years of SSL and there's been almost no progress on that.

  • by Jgrubb on 1/24/14, 2:06 PM

    Can one of you knowledgable HNers tell me how I, as a dude who owns some domains and occasionally uses DNS to point them somewhere can get on board with this? Or is something that can only be implemented if you're hosting your own DNS?

  • by sanxiyn on 1/24/14, 2:12 PM

    It used to be possible to get HTTPS on Chrome, without warning, without getting certificates from CA, by using DNSSEC. Nobody used it so it was removed.

    https://www.imperialviolet.org/2011/06/16/dnssecchrome.html

  • by oliao on 1/24/14, 2:23 PM

    Does anybody know if it is the browser or the operating system that checks the validity of the dns records? Is it enabled on all clients?

  • by AndrewDucker on 1/24/14, 1:19 PM

    At some point can they mandate DNSSEC?