Everyone has all of these problems with DNSSEC but no solutions. What's the better alternative? We need a way to verify hostname lookups.
DNSSEC does what it says on the tin. DIYing DNSSEC is a pain in the ass, but in 2023 I think the overlap of folks who self host DNS and aren't capable of setting up DNSSEC is quite small.
I personally think we missed a great opportunity with DANE to decentralize a lot of things, but DNSSEC FUD got in the way.
You ever have a debate about "defense in depth" versus "multiple single points of failure"? That's the DNSSEC dilemma (or one of them at least). People think they're getting a "decentralized" system. But there are few systems on the Internet more centralized than the DNS, which is tree structured, and which by design delegates authority to world governments.
Appeals to DNSSEC as a decentralization method tend to assume that (a) there are TLDs that are both accessible and reasonably insulated from governmental privacy interference (this is trickier than it looks; .IO, for instance, is squarely within the jurisdiction of the world's most unhinged signals intelligence agency), and that (b) moving established properties to those new TLDs has a reasonable cost, which it virtually never does.
Using any web service requires implicitly trusting the government (in the sense of the entity that can give orders that men with guns will follow; not necessarily the party currently in power, in the case of places that have checks and balances) of wherever it's hosted. Not being also obliged to trust 170-odd other governmental and nongovernmental entities would be a step up (I know certificate transparency helps with this to a certain extent, but being a root CA is still a privileged status; really I should be able to use a .foo domain without putting any trust in entities outside foo)
It is simply not true that using any service on the Internet requires you to trust the government. I do appreciate the clarity with which we can associate that idea with DNSSEC advocacy, though. "30 years of Internet privacy research have shown: we should just give up and let governments run the show, they're going to anyways".
Unfortunately, the IETF has categorically rejected that argument:
It's not that I want to trust governments more. I want to get away from the "flat list of 170+ root certificates" model because I want to trust a bunch of governments (not least that of the US) less!
Is your argument with the RFC that content exfiltration is always more costly than active network attacks? Obviously all else being equal that's true, but it's an overly simplistic model when multiple countries come into play - for a government, an active network attack against a foreign power is much more costly than any king of attack, even content exfiltration, against a company within your country.
> assume ... there are TLDs that are both accessible and reasonably insulated from governmental privacy interference
Would be nice if the root servers delegated some TLDs to various experimental projects like blockchain-based name systems and OpenNIC and such (i.e. making domains under those TLDs resolvable for everyone).
DNSCurve solves the issues of securing the channel (solves privacy, not authenticity like DNSSEC attempted), unfortunately it wasn't standardized and didn't get wide adoption.
The place where DoH is common is the place with no network effect. Anyone can use anything from DoH to DNSCurve to OpenVPN to secure the path between the client and the recursive DNS server, and can do so regardless of what anybody else uses for that.
The thing we're still missing is something to secure the path between the recursive and authoritative nameservers, which is the thing DNSCurve is actually better at and is also not the thing DoH is commonly used for. Moreover, "adoption" is basically code in this context. You could have widespread adoption of DNSCurve just by adding support for it to the handful of open source DNS servers in widespread use.
Operations people frequently pick based on ergonomics. The bad ergonomics and having to learn new tools is a frequently cited reason why IPv6 is seeing lesser adoption.
DoT and DoH seem like better alternatives, these days. At least for the “authenticated delivery of DNS records” bit.
My understanding is that if DNSSEC were to break nothing would really happen to the public Internet, indicating that it’s not really a load-bearing component.
That TLS MITM attack was government-initiated, and governments control the DNSSEC roots. But either way: you can't say your system is load bearing because if it was actually deployed it would bear load. It has to actually bear the load, not just in theory but in practice. The root DNSSEC keys could land on Pastebin tonight and almost nobody would need to be paged.
Authenticated DANE or CAA would have prevented it.
FWIW, there is absolutely no reason that authentication for CAA requests needs to have high bandwidth or low latency or even that it would need to be part of the DNS protocol itself or of any sort of query that ordinary clients do. And the web could tolerate a day-long CAA outage with the only obvious side effect being an inability to issue new certificates.
Heck, a signed CAA attestation valid for 24 hours that was generated, for each domain that uses it, at most once per day, would allow quite a bit of ability to ride through an outage.
Everyone has all of these problems with DNSSEC but no solutions. What's the better alternative? We need a way to verify hostname lookups.
DNSSEC does what it says on the tin. DIYing DNSSEC is a pain in the ass, but in 2023 I think the overlap of folks who self host DNS and aren't capable of setting up DNSSEC is quite small.
I personally think we missed a great opportunity with DANE to decentralize a lot of things, but DNSSEC FUD got in the way.