
DNSSEC KSK Rollover Postponed - tptacek
https://www.icann.org/news/announcement-2017-09-27-en
======
tptacek
Let's just be clear:

The IETF fervently requests that you enroll your domain names in their DNSSEC
program. Doing so will provide your users with essentially no security
improvements, even at the margin, that they wouldn't get from simply using
LetsEncrypt.

At the same time, once enrolled, the weird little pockets of the Internet that
actually look for DNSSEC records when they do DNS lookups will instantly
become susceptible to forgetting that your domain exists entirely if any
misconfiguration occurs. That's not a hypothetical concern: the week HBO
launched HBO Now, their cord-cutting all-online streaming service, it vanished
for Comcast users whose DNS servers at the time enforced DNSSEC.

Now, faced with the requirement to perform what needs to be a totally routine
management operation for the DNSSEC PKI --- periodically rotating keys ---
ICANN is _postponing for months_ because ISPs can't reliably handle the
rollover. DNSSEC usage is growing every day, the DNSSEC advocates say. Huge
portions of the Internet now resolve DNSSEC records. But if ICANN tries to
rotate keys, the whole system will break.

The reality is that if the root DNSSEC private keys were leaked to Pastebin
today, not a single mainstream site on the Internet would be jeopardized. To a
first approximation, _nobody on the Internet relies on DNSSEC_. TLS was
designed to assume the DNS was insecure. No browser implements DNSSEC. Your
operating system --- thankfully --- probably won't disappear sites based on
DNSSEC misconfigurations, or, for that matter, check DNSSEC at all.

DNSSEC is 1990s crypto. Every new DNSSEC resolver that gets deployed makes it
that much harder to eventually deploy modern cryptography to solve real
security problems in the DNS, whatever they may be. Enough is enough! Kill
DNSSEC and go back to the drawing board.

~~~
TorKlingberg
Forgive an uninformed comment, but isn't DNSSEC the only viable route away
from globally trusted CAs? And the CA model is just fundamentally wrong in
many ways (still better than nothing or trust on first use though).

~~~
pornel
DNSSEC has a CA-like trust model.

It's only a route to the same thing, but with weaker crypto, no Certificate
Transparency, and no ability to distrust bad actors (distrusting Symantec's
Verisign CA is feasible, but dropping Verisign's `.com` is not).

~~~
andrius4669
>DNSSEC has a CA-like trust model.

Not really.

You cannot get .tk operator to sign .jp domain (unless they're both controlled
by same authority, which usually isn't the case).

~~~
tptacek
Who cares? The majority of commercially important domain names live under
parts of the DNS hierarchy that are _de jure_ controlled by the Five Eyes
governments.

------
ifni
Obviously some resolvers are misconfigured and a depressingly large number of
production DNS servers around the internet will be running remarkably outdated
software that couldn't handle the KSK rollover via the RFC 5011 method
properly (though how many of these actually have DNSSEC enabled is an open
question). For example, I've heard of resolvers breaking because they
mishandled the transition and replaced KSK-2010 with KSK-2017 as soon as they
got it.

I saw the postponement late last night, and my immediate but completely
untested pet theory is that the reason they're getting so many 'broken'
resolvers running such new software (RFC 8145 was published in April 2017,
unbound 1.6.4 was released June 27, 2017) is short-lived container instances
that only have the old root trust anchor reporting in before they've had a
chance to obtain the new KSK - if they even stay up long enough to get it.

From the root-dnssec-announce mailing list, it sounds like more information is
due Friday:

"Duane Wessels started the research on this and has done a great job. He's
presenting it at DNS-OARC in San Jose on Friday."

~~~
dogecoinbase
I'm looking forward to the talk on Friday (and the easy conversation starter
at NANOG... we can't keep talking about dying clock silicon forever)... but I
absolutely agree with tptacek on this one, DNSSEC is worse than useless
(solves no actual security problems; introduces many new problems; absurdly
complex and poorly implemented across the board), and this doesn't help the
optics one bit. I've gotten myself down to one DNSSEC zone I have to run (a
.gov, lord help us all) and have been trying to get the resign going since the
new key became available with literally zero forward movement. Lots of fun.

(Aside: this was submitted previously but got no traction:
[https://news.ycombinator.com/item?id=15362516](https://news.ycombinator.com/item?id=15362516)
Is this the dupe-detector-avoider in action?)

~~~
kuschku
So, how do you suggest to replace DNSSEC then, assuming that your enemy is a
nation state intercepting your DNS queries and responding with NSA QUANTUM
before the legitimate server does?

~~~
wglb
Replace it with nothing.

~~~
kuschku
Great, then my entire TLS setup is useless, and I can just use plaintext HTTP.

The whole point is that at least CAs enforce DNSSEC, so no one can get a
certificate for my site except for me.

------
snakeanus
Mandatory: [https://moxie.org/blog/ssl-and-the-future-of-
authenticity/](https://moxie.org/blog/ssl-and-the-future-of-authenticity/)

