bloxHub

www.infoblox.com/community

Whither DNSSEC?

For just a moment, imagine that DNSSEC is fullydeployed. Every zone you careabout has been signed. No moreworrying about cache poisoning:You can trust the answers you get from name servers around theInternet. You sleep better atnight. Youve lost weight, and theopposite sex finds you more attractive.Now what?

Thats a reasonable question to ask. DNSSECwhich you might think of asDNSs second actcould itself have a second act. (That would be nicely recursive, and of course recursion isa key part of DNS.)

We might see a surge in adoption of DKIM, for example. DKIM, which stands for DomainKeysIdentified Mail, is a little like DNSSEC for email. It uses asymmetric cryptography to allow the recipient of amessage to verify the domain name of the sender as well as the integrity of themessage. DKIM stores the publickeys the recipient uses to attempt validation in DNS. Today, when its possible to spoof DNS data, its likewisepossible to spoof DKIM. But withsigned zones, you can trust the data you get from DNS.

You could also use datain particular, public keysstored inDNS to secure just about any sort of transaction performed over theInternet. Take SSH, forexample. While SSH uses encryptionto allow you to securely log in to a remote device, it has a bootstrappingproblem: The first time you try tolog in to a host, you probably dont know its public key. SSH clients usually give you theopportunity to examine the fingerprint of the public key presented by the hostand accept or reject it, but unless youve got some other way to retrieve thepublic key so that you can compare it, youll probably just accept what youreshown and hope for the best. WithDNSSEC widely deployed, administrators of hosts can store the fingerprints of theirhosts public keys in SSHFP records.Better SSH clients will then automatically compare new fingerprintsagainst fingerprints retrieved (and validated!) via DNS before accepting them.

Of course, this general idea could be extended to cover justabout any Internet protocol.

What else can you think of to do with a secure, global DNS namespace? Im sure there are countlesspossibilities, and probably millions to be madeif only I were clever enough tocome up with a good idea!

File attachments: 
Section: 
Cricket on DNS

Tags:

DNSSEC

Comments

Everything could ultimately derive from your (secured) DNS records. You want to sign a Java applet? Sure. You can self-sign it, backed by your DNS signature. In fact, this could be generalized to all certificates. Self-signing could be accepted if (and only if) the owner's domain is signed by a trusted authority. That way, you go through the hassle of buying a certificate once, and thereafter do the signing yourself. Will this be helpful, or will it be a useless feature?

+1
0
-1

As soon as its viable, we'll be storing our self-signed SSL certs for everything in the DNS. That'll be sweet.

+1
0
-1

Add comment

Log in or register to post comments

Welcome to bloxHub

Welcome to bloxHub, our community for users of Infoblox products. Most of our content can be viewed as a guest, but if you wish to contribute or join a conversation, you will need to log in. If you don't have a bloxHub account, we invite you to register an account and join us.

Follow us on Twitter

Follow us on Twitter at @bloxHub and we'll keep you notified of new content on the community as well as webinars and other items of interest to Infoblox users.

Recent tweets

More