

DNSSEC Done Right - jgrahamc
https://blog.cloudflare.com/dnssec-done-right/

======
tptacek
I mean, I respect the effort, but at the risk of sounding dismissive: what's
the point?

Part of why DNSSEC hasn't been widely deployed is indeed because it's complex
to deploy (though its advocates vigorously contest that, and claim it's as
simple to deploy as TLS. Heh.) Cloudflare seems to have done a great job of
solving that problem.

But there are other reasons why DNSSEC isn't deployed:

* We don't need the DNS to be secure to solve real security problems any more than we need to authenticate IPv4 header options. TLS assumes the DNS is insecure and works anyways. Meanwhile: even email spammers can spoof connections at a level lower than DNS, by using BGP4 to reroute the IP addresses DNS points to.

* DNSSEC exacerbates Internet trust issues. It's a rigidly centralized system whose roots are dominated by world governments, a tree whose most important branches are controlled (literally) by NSA and GCHQ.

* It's interesting, and a demonstration of skillful engineering, that Cloudflare can use DNSSEC ECDSA to reduce response sizes. But the roots of the tree still use RSA; the tree is still littered with insecure 1024 bit keys. Moreover, the ECC variant Cloudflare uses is itself outmoded, and experts suggest it would be optimistic to see it replaced within 10 years.

* Cloudflare might make it easier for organizations to flip the switch for the domains, but they can't solve the software adoption problems of DNSSEC. DNSSEC breaks lookups, adding a bunch of new failure cases nobody is prepared to solve. For instance, every piece of software affected by the GHOST vulnerability is using an API that can't communicate DNSSEC resolution success or failure.

* The most important application on the Internet is, obviously, HTTP via web browsers. And web browsers are not adopting DNSSEC. Browser teams at Google and Mozilla have both declared their efforts kaput. Apple removed their DNSSEC code from the most recent update of the OS. End-users are vulnerable to exactly the same kinds of attacks before and after DNSSEC deployment.

I see how adoption of DNSSEC helps Cloudflare: it's yet another reason you'd
outsource the operation of your Internet presence. That's not a sinister
motive, but it also shouldn't be an animating motive behind a unnecessary and
harmful forklift update of Internet infrastructure.

When I got started, in my first "real" job, you could set up the
infrastructure for mailing lists on a FreeBSD 486 and be off to the races.
Today, getting a mailing list running is such a nightmare of deliverability
hacks and monitoring that most people (sensibly) give up and delegate the task
to things like Mailchimp and Mailgun. More companies than not are hesitant to
even host their own internal mail. Are we meant to be happy at the prospect of
the same thing happening for DNS?

~~~
yuhong
I hope that CloudFlare at least can support DNSCurve too.

