sockpuppet.org Open in urlscan Pro
104.131.184.198  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Meta / Older


14 DNS NERDS DON'T CONTROL THE INTERNET

27 October 2016

Welcome to the sacred order of the Stonecutters, number 908.




You’re reading this page because you’ve suggested that “14 people control the
Internet through the DNSSEC root keys”. If you’re unlucky, you might be a
journalist preparing a story about those people. Stop!

DNSSEC doesn’t do anything. Dramatic ceremonies notwithstanding, if the secret
DNSSEC keys leaked on Pastebin tomorrow, it’s unlikely that anything would
break.

Practically all commerce on the Internet happens without DNSSEC. Web browsers
don’t support it. or DANE, the DNSSEC-based replacement for certificate
authorities. Most DNS domains don’t either. If you log in to your online banking
and wire money to Transnistria, no DNSSEC will happen.

Maybe you have a source suggesting otherwise. Ask them to be specific. For
instance: of the 5 largest US banks, which of them are enrolled in DNSSEC? After
reading this, I’ll bet you can guess the answer. Are the banks just stupid? No:
they have some of the best security teams in the world, and they think DNSSEC is
a bad idea.

Isn’t it a big deal that the Internet’s DNS lookups are protected? Nope. The
architects of the web’s security protocols assumed that the DNS would be
insecure. When technologists discuss “certificates” and “certificate
authorities”, (and “HSTS” and “HPKP” and I can go on but I won’t) they’re
talking about cryptography built to work around the insecure DNS. The Internet
works fine without DNSSEC.

Of course, this pretty much has to be true. .COM didn’t support DNSSEC until
Spring 2011. Global commerce migrated online many years before that. If DNSSEC
is so important, how did this stuff work before 2011?

If DNSSEC is so pointless, why do people care about it so much?

A funny thing happened between 1994 and 2011, while the IETF worked furiously to
design DNSSEC: we figured out how to secure the Internet without securing the
DNS. The market moved faster than the standard, and the standard was left
struggling for a reason to exist. Hundreds of people have invested their
reputations in DNSSEC and are loathe to see it fail. That’s unfortunate. But
it’s also one of the oldest stories in technology standards.

There’s a real story in DNSSEC, but it’s not a happy one. To justify DNSSEC,
standards groups hatched a plan to move the web’s security certificates into the
DNS. With a secure DNS, the logic went, we’d no longer need to pay certificate
authorities for SSL certificates. This scheme is called DANE.

DANE gives the power to create security certificates to whoever controls the
DNS. The cryptographic keys in those certificates are an obstacle to
government-sponsored dragnet surveillance. With DANE, guess who controls the
certificates? Had DANE been deployed while he was alive, Muammar Gadaffi would
have controlled the keys for BIT.LY. For GOOGLE.COM and APPLE.COM, that’d be the
United States Government.

DNSSEC is the world’s most ambitious key escrow scheme: a backdoor that hands
over control of Internet cryptography to world governments. Thankfully, it’s
also a total market failure. We should hope it stays that way.


You can read more ominous DNSSEC nerdery here.


Copyright © 2017 Thomas & Erin Ptacek