For just a moment, imagine that DNSSEC is fullydeployed. Every zone you careabout has been signed. No moreworrying about cache poisoning:You can trust the answers you get from name servers around theInternet. You sleep better atnight. Youve lost weight, and theopposite sex finds you more attractive.Now what?
Thats a reasonable question to ask. DNSSECwhich you might think of asDNSs second actcould itself have a second act. (That would be nicely recursive, and of course recursion isa key part of DNS.)
We might see a surge in adoption of DKIM, for example. DKIM, which stands for DomainKeysIdentified Mail, is a little like DNSSEC for email. It uses asymmetric cryptography to allow the recipient of amessage to verify the domain name of the sender as well as the integrity of themessage. DKIM stores the publickeys the recipient uses to attempt validation in DNS. Today, when its possible to spoof DNS data, its likewisepossible to spoof DKIM. But withsigned zones, you can trust the data you get from DNS.
You could also use datain particular, public keysstored inDNS to secure just about any sort of transaction performed over theInternet. Take SSH, forexample. While SSH uses encryptionto allow you to securely log in to a remote device, it has a bootstrappingproblem: The first time you try tolog in to a host, you probably dont know its public key. SSH clients usually give you theopportunity to examine the fingerprint of the public key presented by the hostand accept or reject it, but unless youve got some other way to retrieve thepublic key so that you can compare it, youll probably just accept what youreshown and hope for the best. WithDNSSEC widely deployed, administrators of hosts can store the fingerprints of theirhosts public keys in SSHFP records.Better SSH clients will then automatically compare new fingerprintsagainst fingerprints retrieved (and validated!) via DNS before accepting them.
Of course, this general idea could be extended to cover justabout any Internet protocol.
What else can you think of to do with a secure, global DNS namespace? Im sure there are countlesspossibilities, and probably millions to be madeif only I were clever enough tocome up with a good idea!