
Fedora 21 To Have DNSSEC Validation Enabled By Default - danyork
http://www.internetsociety.org/deploy360/blog/2014/05/fedora-21-to-have-dnssec-validation-enabled-by-default/
======
tptacek
DNSSEC. Take everything you don't like about the CA system. Sign it over to
the government, because everyone knows they'll never manipulate the DNS to
accomplish a policy goal. Then bake it, along with 1990s-era RSA cryptography,
into the core of the Internet.

Thanks, Fedora.

~~~
axaxs
I'm not sure I follow your comment. How do you see DNSSEC as signing anything
over to the government? The point of DNSSEC was/is solely to prevent cache
poisoning by "chaining" answers from root to auth with signatures. It only
proves the answer provided is correct by DNS means. It does not attempt to
guarantee authenticity of a destination. Also, DNSSEC supports multiple
algorithms, including ECDSA, though RSA is the most widely used at the moment.
Is it perfect? Of course not. But it's out there now, and it works for what it
was designed for.

~~~
tptacek
The roots of the DNS tree are controlled by world governments. The roots of
the DNSSEC PKI are the roots of the DNS tree. And, no, the point of DNSSEC
isn't solely to prevent cache poisoning; in fact, the motivating use case for
DNSSEC in 2014 is DANE, which replaces the CA hierarchy with DNSSEC.

~~~
kijeda
It would be useful to put forward a single credible scenario where "world"
governments can use the DNS root private key in any fashion without detection.
It is impossible to have a reasoned debate about DNSSEC with straw men like
this.

~~~
tptacek
Are you familiar with the CAP theorem, or do you believe that it's impossible
for one query to a globally distributed database to get a different answer for
the same question than every other query?

Every time someone tells me that DNSSEC tampering would be "detectible", it
always seems premised on the idea that everyone sees the same data. Of course,
attackers will isolate their targets and attack them surgically.

What's worse, none of what you're talking about is cryptographic. This is
protection by dint of being lucky enough to be on the right part of the
network to be hard to attack. No sound cryptosystem works like that.

------
floatboth
FreeBSD 10 ships with Unbound in the base system too... Sadly, it's not
enabled by default, but a lot of people enable it for performance (caching)
and they get security for free.

# sysrc local_unbound_enable=YES # service local_unbound start

------
wtallis
CeroWrt picked up the DNSSEC-enabled version of dnsmasq as soon as it was
released, and it's been a huge hassle even among that small and technically
capable userbase. Fedora has done more to try to make it usable (detecting
captive portals, etc.), but there are simply too many broken networks and DNS
servers out there for DNSSEC to be used to do anything more strict than
putting a red flag in the browser's URL bar.

