Hacker News new | ask | show | jobs
by tptacek 4490 days ago
Skimming this article, I couldn't tell if it was about DNSSEC or not. But if these are DNSSEC keys, you can safely ignore this story; DNSSEC is a sideshow. It's hopefully never going to see widespread deployment, and regardless of whether it does, it isn't going to make a difference for your security.

I've written a bunch about DNSSEC on HN (and elsewhere) and won't preemptively repeat myself. You might consider just taking my word for this.
3 comments
minimax 4490 days ago
Yes the author is apparently writing about "Root DNSSEC KSK Ceremony 16"

http://data.iana.org/ksk-ceremony/16/KC16_Scripts.pdf

link
tptacek 4490 days ago
The author has been fooled into writing a dramatic story about a total nonevent.
link
TeMPOraL 4490 days ago
s/fooled/paid/

Also, this is how non-events try to gain "importance".

link
JoachimSchipper 4490 days ago
> DNSSEC is a sideshow.

I recently had the occasion to attend a meeting of a body recommending standards for the Dutch government. (Serving) DNSSEC has been on their "use or explain"-list for well over a year (and the Netherlands apparently leads worldwide DNSSEC adoption.) At the meeting, the other attendees expressed their sincere regret that the DANE proposal, although a great idea, was still too immature.

As you probably know, DANE says that you "MUST" implement "trust this certificate, no matter what any CA says" over DNSSEC; combined with the fact that DNSSEC servers usually hold the signing keys online (NSEC3), implementing DANE is significantly less secure than just trusting the CA's. In fact, the Netherlands put quite a bit of effort into a government PKI infrastructure after our previous CA (DigiNotar) got pwned; it's not clear that requiring e.g. municipal system administrators to handle their own cryptographic keys is an improvement over what we have now.

Which is to say, don't discount well-meaning public servants; "given enough thrust, pigs can (temporarily) reach 6% of cruising altitude." </snark> [1,2]

[1] https://tools.ietf.org/html/rfc1925

[2] http://www.networkworld.com/news/2012/092412-ipv6-traffic-26...

link
computer 4490 days ago
Doesn't it mean we can do CA-free authenticated HTTPS? That would make it useful for me.
link
tptacek 4490 days ago
No, it doesn't. It means that a different set of huge organizations, this time explicitly including world governments, will get added to the list of CA-equivalents.

Post-NSA-revelations, DNSSEC-based browser security is lunacy.

link