All I want to know
Is does DNSSEC offer any protection against the forthcoming Snoopers Charter mk3?
I so I want it, if not then f*ck off and build something that offers end to end encryption of internet comms from DNS lookup onwards.
CloudFlare has rolled out Universal DNSSEC, despite widespread controversy alleging it would provide an excellent platform from which intelligence agencies could spy upon and intercept global internet traffic. Universal DNSSEC will be available to CloudFlare customers for free. The company announced that it will do "all the …
No - and it doesn't make you coffee either...
It alows you to verify that the record you just got back from your query to theregister.co.uk was indeed signed by The Register, as authenticated by ".co" as authenticated by ".uk" as authenticated by the root.
Given that you visit frequently you can also use a preload or triangulationto further verify that the cert chain hasn't been tampered with.
You could of course add DNSCurve to secure the request/response to/from the DNS server you spoke to, but they probably keep logs anyway.
There is no reason DNSSEC cannot be used with DNSCurve - and you can add preloads and triangulation, amongst other things to provide further verification [more importantly to increase the cost of an attack, since that is all we can ever really do]
When diud you last clear out the 600+ certificate authorities in your browser?
> as authenticated by ".co" as authenticated by ".uk"
Remember this doesn't protect against a typo as I found out that some typo-squatting shitbag has somehow got xo.uk registered when they are based in Nevada with some dodgy nob-end here as their UK agent with the other question about how Nominet let them do that when it is so completely blatant. Is there no required "validity of claim" process that should have kicked in at least at some point in the last year or so since they registered? Why is a non-UK corporation (this is their "registrant type" as listed) allowed to register something within the top-level .uk space?
It doesn't offer any protection against the proposed snoopers charter directly. However, once sufficiently widely adopted, it enables developing more widely used cryptography (e.g. for email contents and addresses) based on a better chain of trust than the current CA system. Under the CA COT, any one bad CA out of several hundred can compromise any domain. Under the DNSSEC COT, those in a position to compromise your chain of trust is likely to be exposed (by signing collectable and provably false statements about any lower-level key they compromise), and held to account in connection with this proof resulting in massive reputation damage. Another advantage of the DNSSEC COT is you can choose whichever top level domain or registrar you do trust to verify your identity and keys, by establishing your identity within their namespace.
Obviously anyone concerned about this should manage their own private keys themselves - the DNSSEC or CA COT are concerned about how other parties verify the identity associated with these keys. Those without the technical capacity to do so are likely to pick a trusted provider to do this for them.
DNSSEC does provide a decent chain of trust though - you can see who you are trusting in the URL, no need to check that the cert isn't issued by a dodgy elbonian authority.
It could also allow a sideband transfer of HTTPS certs, allowing those certificate chains to be combined into one, easily visible chain of trust.
A visible chain of trust is all very well, but is it possible to trust any US corporation if your not a US citizen?
The very fact that these keys will be in the US to begin with is potentially damaging in and of itself with the current issues that are unfolding.
Because DNS is publicly visible and has ttl caching, it is reasonably easy to spot someone hijacking. Also anyone can run DNSSEC, you don't need to trust the root authorities (although who you'd rather trust is an interesting question)...
In any case, at least there is only one DNSSEC chain, you won't get someone "accidentally" signing a certificate for www.Google.com or *. If all else fails, why not do what you do at the moment ***and*** use DNSSEC?