[caskance]

That's what it means to have a domain in Libya - you're subject to the jurisdiction of the officially recognized Libyan government. If you don't want to have to deal with the whims of a crazy dictator, don't register your business in his country.

[tptacek]

"DNSSEC: everything will be fine as long as everyone moves to domains in Bouvet Island's .BV. Brought to you by Cloudflare."

[rch]

> The centre of the island is an ice-filled crater of an inactive volcano.

Sounds like a combination of the Fortress of Solitude and SPECTRE's volcano base.

[djcapelis]

.bv is a great TLD choice if you want to give many women visiting your website a subtle negative connotation.

[drzaiusapelord]

and exactly what country is safe from the whims of politics? I was just reading about censorship in the Netherlands and other Euro states because of fear of offending religious people, especially muslims. If the far left Europeans can't protect speech, then who can? DNNSEC just enables centralized government control on a level that's not needed. DNS is fine as-is. Domain authentication should be done via the transport layer like SSL. That's the way things are going now anyway.

[stephenr]

Secure DNS allows a number of nice things that otherwise are a risk, such as trusting server SSH fingerprints without prompting on first use.

[tptacek]

And to get that feature all you have to do is trust that the government that controls your TLD isn't going to fuck you.

Because it's not like the USG would ever tamper with the DNS to further a policy goal, right?

http://gizmodo.com/5936870/doj-seizes-domains-over-app-pirac...

[throwaway2048]

even in the case of existing CA model+key pinning (at least before the key is pinned) you are still trusting the governments controlling the TLDs are not going to fuck you.

Id rather trust a handful of cctld nation states, than the nation states + everybody with access to a CA cert.

Also the idea that dnssec tld keys cannot be rotated is pure FUD, the root key signing keys themseves cannot, but they were extremely careful there.

If tampering is detected, do you really think TLD keys are going to be left alone, and not regenerated and the process extremely closely scrutinized?

[caskance]

That's the trust that government always requires. Being on the internet doesn't change the fact that the point of government is a monopoly on authorized use of force. They can always just send men with guns to your office, DNSSEC or no.

If you don't trust your government not to abuse their power, that's not a problem that Cloudflare can help you with.

[tptacek]

We're required to trust them for the DNS today. We aren't required to trust them for TLS keys. But DNSSEC/DANE formally and irrevocably gives them that authority.

[caskance]

They already have the ability. Since that can't be revoked, might as well make it transparent and grant them the authority to match it.

It's certainly better than the current CA system.

[hueving]

So you're excuse is that it's insecure but only to the government and you should be okay with systems insecure to the government? That's a sad state affairs if that's where the security community is.

[tptacek]

It's not. The "security community" does not generally support DNSSEC. Most people in the security community don't think about DNSSEC, or DNS security, at all.

DNSSEC is being driven by three forces today:

1. The IETF, which has been working on it for 21+ years and has for the last 10 expressed continuing and increasing frustration that they can't just get the damn thing deployed.

2. The US Government, which is mandating its deployment in some circumstances.

3. CDN services like Cloudflare, who are interested in an Internet where standing up a server presence involves technology so complicated that almost nobody will DIY it. See: what happened with SMTP mail.

[caskance]

The security community is not in any one place.

The only thing even theoretically secure to a government is another government, and reality almost always falls short of that. That has nothing to do with technology, just politics.

[stephenr]

So your entire argument against DNSSEC is that the US Government seized the domains of known "pirated" software distribution sites?

[phicoh]

The nice thing about DNSSEC and the ccTLDs is that you can pick what country you trust. So you can get a domain in a country that is compatible with what you are trying to do.

Of course, with domain validated SSL certificates, you also have to trust DNS completely, because anyone who controls your domain can get a cert for that domain.

[tptacek]

I hear this a lot too and it blows my mind. How is it a nice thing about DNSSEC that your choice of domain names will have a major impact on your security? That seems like a straightforwardly bad thing.

[phicoh]

That's a good thing. Because the same applies to just about anything else. Where your servers are, who announces your IP space. Or outside the internet, where you are living, where your company is registered, where you do business.

The current CA system is the odd one out. Any CA in any country can create a cert for your domain that is recognized everywhere.