back to article CloudFlare drinks the DNSSEC kool-aid, offers it on universal basis

CloudFlare has rolled out Universal DNSSEC, despite widespread controversy alleging it would provide an excellent platform from which intelligence agencies could spy upon and intercept global internet traffic. Universal DNSSEC will be available to CloudFlare customers for free. The company announced that it will do "all the …

  1. Gordon 10 Silver badge

    All I want to know

    Is does DNSSEC offer any protection against the forthcoming Snoopers Charter mk3?

    I so I want it, if not then f*ck off and build something that offers end to end encryption of internet comms from DNS lookup onwards.

    1. John Robson Silver badge

      Re: All I want to know

      No - and it doesn't make you coffee either...

      It alows you to verify that the record you just got back from your query to was indeed signed by The Register, as authenticated by ".co" as authenticated by ".uk" as authenticated by the root.

      Given that you visit frequently you can also use a preload or triangulationto further verify that the cert chain hasn't been tampered with.

      You could of course add DNSCurve to secure the request/response to/from the DNS server you spoke to, but they probably keep logs anyway.

      There is no reason DNSSEC cannot be used with DNSCurve - and you can add preloads and triangulation, amongst other things to provide further verification [more importantly to increase the cost of an attack, since that is all we can ever really do]

      When diud you last clear out the 600+ certificate authorities in your browser?

      1. Anonymous Coward
        Anonymous Coward

        Re: All I want to know

        > as authenticated by ".co" as authenticated by ".uk"

        Remember this doesn't protect against a typo as I found out that some typo-squatting shitbag has somehow got registered when they are based in Nevada with some dodgy nob-end here as their UK agent with the other question about how Nominet let them do that when it is so completely blatant. Is there no required "validity of claim" process that should have kicked in at least at some point in the last year or so since they registered? Why is a non-UK corporation (this is their "registrant type" as listed) allowed to register something within the top-level .uk space?

    2. PyLETS
      Big Brother

      Re: All I want to know

      It doesn't offer any protection against the proposed snoopers charter directly. However, once sufficiently widely adopted, it enables developing more widely used cryptography (e.g. for email contents and addresses) based on a better chain of trust than the current CA system. Under the CA COT, any one bad CA out of several hundred can compromise any domain. Under the DNSSEC COT, those in a position to compromise your chain of trust is likely to be exposed (by signing collectable and provably false statements about any lower-level key they compromise), and held to account in connection with this proof resulting in massive reputation damage. Another advantage of the DNSSEC COT is you can choose whichever top level domain or registrar you do trust to verify your identity and keys, by establishing your identity within their namespace.

      Obviously anyone concerned about this should manage their own private keys themselves - the DNSSEC or CA COT are concerned about how other parties verify the identity associated with these keys. Those without the technical capacity to do so are likely to pick a trusted provider to do this for them.

  2. John Robson Silver badge

    DNSSEC does provide a decent chain of trust though - you can see who you are trusting in the URL, no need to check that the cert isn't issued by a dodgy elbonian authority.

    It could also allow a sideband transfer of HTTPS certs, allowing those certificate chains to be combined into one, easily visible chain of trust.

  3. banalyzer

    Trust is supposed to be a two way street

    A visible chain of trust is all very well, but is it possible to trust any US corporation if your not a US citizen?

    The very fact that these keys will be in the US to begin with is potentially damaging in and of itself with the current issues that are unfolding.

    1. Charles 9 Silver badge

      Re: Trust is supposed to be a two way street

      Well then, you better get off the Internet, because that level of paranoia approaches Don't Trust Anyone, and since trust is required to perform any real communications...

      1. John Robson Silver badge

        Re: Trust is supposed to be a two way street

        That's why there is LAV (Look Aside Validation) - so you can have alternative checks of the key's validity.

        It's a bit like saying that IPv6 hasn't been fully deployed so we shouldn't bother

  4. Anonymous Coward
    Anonymous Coward

    Root-signing ceremony

    That sounds a bit masonic. Does it involve pigs?

    1. Martin Summers

      Re: Root-signing ceremony

      No we use goats thank you very much. Or so we tell initiates anyway.

  5. asdfasdfasdfasdf

    Publicly visible database

    Because DNS is publicly visible and has ttl caching, it is reasonably easy to spot someone hijacking. Also anyone can run DNSSEC, you don't need to trust the root authorities (although who you'd rather trust is an interesting question)...

    In any case, at least there is only one DNSSEC chain, you won't get someone "accidentally" signing a certificate for or *. If all else fails, why not do what you do at the moment ***and*** use DNSSEC?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like