On Mon, Jun 16, 2014 at 2:49 PM, Michael Orlitzky <m...@gentoo.org> wrote: > The benefits of DNSSEC are debatable. We're moving the centralized trust > from one group of scumbags (the CAs) to another group of scumbags (the > registrars). So the benefits to authentication are not entirely clear-cut. > > But, DNSSEC will eventually allow us to do away with the SSL racket, and > that can only improve security through the widespread adoption of > encryption. So it's a good thing either way.
While I agree with your concerns about trust, I think the good thing about DNSSEC is that you don't have to trust as many people. With the current SSL racket I need to trust all the folks in my browser's CA list to not mess with my connection. Any one of them has the power to spoof any website on the planet, and have you seen how long the list is? With DNSSEC the only person who can tamper with a connection is the domain owner, registrar, and TLD owner. So, while Verisign can tamper with a .com domain, they can't mess with a .uk domain, and at least the folks who buy a .com domain know who they're getting involved with. With SSL Verisign can spoof any domain there is anywhere, since the trust relationship in SSL is not limited to some domain. I'd like to see things improved further still, but DNSSEC is a big step in the right direction. Rich