The nightmare before DNSSEC

When the guys at IETF thought about securing DNS, they had an awesome idea: DNSSEC. Indeed DNS needed to be hardened: it’s the most used and most vulnerable protocol on the Internet. Well sort of.

So, they gathered and came with this:

To secure DNS, let’s force normal domain owner to enter the wonderful world of asymmetric cryptography so they get their zones signed, and resolvers can check the zone against the signature.

The first part was already not trivial for normal people buying a domain name for their wedding photo album. Hopefully, most shared hosting also sell domain names, and these are pretty easy to configure. But that’s not always the case.

Signing was too trivial, and not secure enough, so they went a little further:

Hey, what if we asked people to resign their zones every 30 day or they won’t resolve at all? And indeed for more security, resigning should be done manually!

And you want that thing to spread fast and worldwide (with zones supporting cool IPv6 short noted addresses)?

Perry the Platypus wants you to subscribe now! Even if you don't visit my site on a regular basis, you can get the latest posts delivered to you for free via Email: