Comment Re:Why We Need It (Score 4, Informative) 49
Uhh...
If you want to get a list of all signed domains, check out:
Look up any TLDs you want there.
Uhh...
If you want to get a list of all signed domains, check out:
Look up any TLDs you want there.
You've actually hit onto something that some people think is _very_ important:
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html
By putting the fingerprint of your SSL cert in a DNS record, you could do something like what you are suggesting... ymmv
Rather than start w/ his example, consider the attacks seen after the Kaminsky announcement: MX records were being forged. Now I can poison an ISP's caches w/ the wrong records for email of any site and all of your email will go through me. Do you ever send anything interesting over email?
WRT the video, at Blackhat there was a presentation demoing the creation of forged SSL certs using weak CAs. Now, if DNS hands you an IP for a domain that really belongs to a MitM. Now your browser _thinks_ that it is talking to the real domain and just needs a cert that matches. Poof, wormhole attack.
Really, the problem here is your browser/OS comes bundled w/ a bunch of very poorly maintained root CAs that you should "trust". Who knows who many of them are, but if your browser is happy with a cert from any of them for any website, you get a nice false sense of security. DNSSEC doesn't address this specific problem. Rather, it makes it perfectly clear what DNS data can be verified. If you go to a rogue website, that is a higher level problem, but at least with DNSSEC you _know_ when you're at a rogue web site. SSL conflates too many things and can be dangerous if misunderstood.
DNSSEC address issues that include the Kaminsky cache poisoning attack from last summer. The idea of DNSSEC is that when you get a DNS record back, you can use crypto to verify that it the actual record (such as the IP address(es) for a web site) served by a domain.
If you're seriously interested in _why_ someone should care about DNSSEC, check out this 4 minute tech-talk:
http://www.youtube.com/watch?v=Yt-oJTj0j0o
Wrong... RFC's go through lengthy comment periods as drafts and though there are none that get 100% support, their purpose is to serve as specifications so people know how to implement protocols (for example).
DNSSEC had been widely implemented, tested, argued over for about 10 years before the final RFCs... Check it out... >10 years
Know your history dude.
Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce