Skimming this article, I couldn't tell if it was about DNSSEC or not. But if these are DNSSEC keys, you can safely ignore this story; DNSSEC is a sideshow. It's hopefully never going to see widespread deployment, and regardless of whether it does, it isn't going to make a difference for your security.
I've written a bunch about DNSSEC on HN (and elsewhere) and won't preemptively repeat myself. You might consider just taking my word for this.
I recently had the occasion to attend a meeting of a body recommending standards for the Dutch government. (Serving) DNSSEC has been on their "use or explain"-list for well over a year (and the Netherlands apparently leads worldwide DNSSEC adoption.) At the meeting, the other attendees expressed their sincere regret that the DANE proposal, although a great idea, was still too immature.
As you probably know, DANE says that you "MUST" implement "trust this certificate, no matter what any CA says" over DNSSEC; combined with the fact that DNSSEC servers usually hold the signing keys online (NSEC3), implementing DANE is significantly less secure than just trusting the CA's. In fact, the Netherlands put quite a bit of effort into a government PKI infrastructure after our previous CA (DigiNotar) got pwned; it's not clear that requiring e.g. municipal system administrators to handle their own cryptographic keys is an improvement over what we have now.
Which is to say, don't discount well-meaning public servants; "given enough thrust, pigs can (temporarily) reach 6% of cruising altitude." </snark> [1,2]
No, it doesn't. It means that a different set of huge organizations, this time explicitly including world governments, will get added to the list of CA-equivalents.
Post-NSA-revelations, DNSSEC-based browser security is lunacy.
How did this article manage to not use the byte sequence 'DNSSEC' or mention the fact that it's only deployed on a tiny % of domains under TLDs that support it?
Reports like this just add to public misconception.
This comment provided me with more information than the entire article. Would you care to add more details on what the key cards are and what their power is (the article seems to be stuck on "can they shut down the internet?")
This is really one of the worst kinds of stories. It's just not true, and not only is it not true, it purports to cover DNSSEC as a technology that people RELY or NEED, when in fact, DNSSEC adoption never gained traction, and actually decreases every single day.
in the interests of transparency: parent's business (OpenDNS) will have severe problems operating (replacing legitimate responses with spoofed ones) when DNSSEC is adopted.
That's actually not true, not even a little bit. We've covered this before. When the resolver issues a query, we can disable the DS bit and disable DNSSEC for our customers. Alternatively, we can extend our DNSCrypt client to do validation and rejection of malicious responses.
DNSSEC doesn't add security, nor does it prevent our business from operating to the fullest extent.
You're playing the long game. If OS's end up locally verifying DNS responses then you're out of business.
On the other hand, DNSCrypt is utterly useless and worthless. Wow, my ISP can't see that I'm looking up "www.example.com", oh... but my ISP can see that I am connecting to x.x.x.x on port 443 and sending "www.example.com" in the SSL handshake because of SNI. So now, both my ISP and OpenDNS (double the third parties) can see that I'm connecting to www.example.com, even if I'm using HTTPS. How exactly is this supposed to help my privacy?
DNSSEC and DNSCrypt both attempt do completely different things. DNSSEC is much better at doing what it is trying to do (even though it's far from perfect) than DNSCrypt.
I am one of the biggest proponents of end-users running a full-blown resolver. I've been on the record on this point. Like the OP, it sounds like you really don't know what business we're in. Monetizing DNS with ads isn't our business, and it hasn't been for more than four years.
Peaked. And that probably includes the sysadmin who was required to watch it.
Where are the articles on the new ridiculous TLD's?
A while back the IP address for the FTP copy of the root.zone changed.
And sure enough, the file is now full of crap like .buzz, .house and .kitchen
I cannot even read through the whole zone anymore. It's too long.
There are some gems in there though. And some fool paid $185,000+ for each one.
I have been running my own root for years and this is why.
Snip, snip. No more .buzz
Very easy to set up up your own custom root and to filter out the crap TLD's. But, like with the ceremony in this article, some folks think that ICANN has some sort of "authority" on how people use domain names.
Whole .com zone (=public information) fits on a USB stick.
And the HOSTS file remains as a failsafe, if you have to use someone else's resolver.
And most of the entries in the com.zone are garbage anyway: parked names with ads.
Imagine how many different domains the average user will visit in their lifetime. It is but a small fraction of all the names registered.
1. Get copy of the file "root.zone" from ftp.internic.net
2. Load it into tinydns or nsd. I have a sed script that translates BIND format into tinydns format, but if you search you will find someone has written one in C.
3. Point your resolver at your root.
4. Create or delete TLD's at will, not to mention many other benefits.
Running your own DNS gives lots of control. Most malicious or deceptive practices that tarnish the internet rely on DNS. When you control your own, you can neutralize a very large percentage of it.
Redirecting .apple.com to your own httpd will show you just how bad this company has gotten.
You can also redirect ad servers like .doubleclick.net and voila, you will have free apps with NO ADS.
I'm not going to rant about how Apple products make gratuitous network connections to remote computers for questionable reasons. Nor the requests that many AppStore apps send out over the open internet without telling you, or how poor Apple's forced software has gotten in general.
That's why I've presented you with the experiment.
If you think you might care about such things, try it yourself and draw your own conclusions.
If you use iOS, you might need this, just to get on your own home LAN:
The Guardian's UK stylesheet calls for this treatment of acronyms that are pronounced as a word -- people say "Icann", not "Eye See Aye En En" -- which does seem odd but may be acceptable as a regionalism.
Some take the distinction further: only if it forms an actual word, like PATRIOT Act, is it an acronym. If it's pronounced but not a word, like NATO, it's an abbreviation.
Signing the key is the important part. Proving that the key was in fact created by the people it was supposed to be. (I think they key does have to be kept secure, which could be done by using a one time pad. Theoretically unbreakable.)
Indeed! And I'm not even thinking about the communication channel as much as...Verisign. Not picking on them, but it's just a single, US based organization.
I wish this story didn't read like a novel, and actually gave me the meat of the information more quickly. I feel like the way the author told the story diluted the importance of it.
I agree with you, it's way way way too long. And overly dramatic. I gave up reading pretty quickly.
However, judging by other comments here, I'm not sure there really was any "importance" to "dilute". It's probably just a way for apparatchiks to justify all-expense-paid vacations twice a year.
Internet security is pwned by organisations powerful enough to hack into CAs or simply buy one and run them as a covert operation impersonating any site they want by issuing certificates trusted by all web browsers. Internet security broken by design of centralization.
Thus if you have IP A you will get fake certificate generated by government owned CA, if you have IP B you will get to the real site. If you are IP A you will get pwned by MITM attack malware the site will look genuine to the browser.
The mitigation for the attack you outlined is that such attacks will be detected, and the CA will get blacklisted. That may not actually work in the real world.
In addition to everything else that's wrong with DNSSEC, using Shamir to share a digital signature key is a silly idea. Multisignature trust systems / threshold signatures provide the same functionality, but without having a single secret that has to live on one computer at a single time. While I know they did their due diligence to prevent the leak of the DNSSEC root key, it's a problem they could've easily avoided by using an incredibly boring design rather than a more "clever" one like Shamir. As things stand, there is actually one key that could completely destroy DNSSEC and require the thing be bootstrapped again from scratch.
"Once activated by the smartcards, this will produce a lengthy cryptographic code. If dropped, or even knocked too hard, the machine will self-destruct."
The first few paragraphs really overdramatize it. It makes it sound like the internet would completely cease to exist if something happened to the root DNS servers. It was so cheesy I just couldn't read anymore after that.
I've written a bunch about DNSSEC on HN (and elsewhere) and won't preemptively repeat myself. You might consider just taking my word for this.