Thursday, 5 February 2009

A few arguments why DNSSEC is a very bad idea.

A short list of arguments why DNSSEC shouldn't be implemented in DNS.
1. NSEC3 hasn't been tested enough, it's fresh product from 2008. It requires more real life tests of the software supporting NSEC3 before we say, it can go to production.
2. There is no standardized procedure for key management at root level and signing the root. Explanations from IETF why root signing is not standardized are not satisfactory. Signing the root is technical solution, not political, and that's why should be subject to the RFC process but it isn't and it's not going to be in the future at all.
It's like having all standards for the plane manufacturing but there are no standards for engines... Or having standards for a car manufacturing... except air bags.
3. Trust Anchor Repository is just fixing a problem in not the proper way - can you imagine that standardization process took 15+ years, but everybody "forgot" to think about the root?
4. If the central repository (Trust Anchor Repository) is not accessible, than validation cannot be executed, even if the signed zone is signed properly. Results: you can't use the Web for signed domains.
5. DNSSEC doesn't secure all the way from DNS to end-user- no Operating Systems support DNSSEC as of now (Jan.2009)
6. No interest from the end-users.
7. Business failure in the countries that implemented it.
8. Complicated process of signing and key management which will lead into the situation where Registrar or Name Server operator is managing all the signing process for end-user - this is a big break in the security. You can't hire somebody to sign documents for you with your personal signature.
9. In case of European Commission, EC must be technically neutral - supporting DNSSEC breaks this rule.
and many more to go...