No, 50 of the root domains now support DNSSEC. Nothing resembling 50%, 5%, or .5% of the Internet uses DNSSEC. Nor will it ever.
DNSSEC is a bad idea. It provides very little value. It drastically complicates the Internet. It bakes the worst part of TLS --- the static tree PKI --- into the core design of the Internet... and then gives the root of the tree to the US government. It's clunky, it uses antiquated crypto (its proponents have been trying to standardize it since 1995), and it leaks your private hostnames to the Internet.
I can go on and on and on. Instead, here's some older posts I've written about it:
So DNSCurve then? Does it basically just allow me to encrypt my connection to a DNS server of my choice? If I run my own DNS server on my own network, and I resolve example.com will I know if the entire recursive resolution was done over a secure channel or just that the connection from my host to my DNS server was secure?
Also is there any chance of it actually becoming adopted widely?
DNSSEC basically has all the problems of SSL registrars with almost no user-facing of the benefits - it's still a centralized system that could be overridden by a registrar hack or state level strong-arming, and very few end user systems support actually doing anything when DNSSEC signed records don't verify.
If you think users are confused by SSL warnings now, how the heck would they understand similar errors at the DNS resolver level?
Also, there's no-in flight encryption, so it offers no privacy benefit. It also aggravates DNS amplification attacks.
The better technology to look into if you're concerned about individual user rights and privacy is DNSCurve: http://dnscurve.org
It's not comparable to DNSSEC other than "It uses crypto with DNS" - they have entirely different goals, but the goals it solves are much more relevant to end users (privacy, forgery, etc.).
Personally, I'd recommend people run both techs, as there's no technical reason that makes them incompatible.
I have no idea how to solve the UI problems. We've had 15+ years of SSL and there's been almost no progress on that.
DNSSEC basically has all the problems of SSL registrars with almost no user-facing of the benefits - it's still a centralized system that could be overridden by a registrar hack or state level strong-arming
I thought the problem with CAs was that any compromised CA breaks security on all sites? Whereas with DNS there's one registrar that handles your domain (well, plus the tld admin, but that's still only 2 instead of lots), which is chosen by you rather than any attacker?
The better technology to look into if you're concerned about individual user rights and privacy is DNSCurve: http://dnscurve.org
After re-reading that, I still don't see how it authenticates the DNS server (and if it does, I imagine it could only do so by relying on information from the parent zone). So I'll assume that it's no more resistant to "registrar hack[s] or state level strong-arming" than anything else.
This is a really important point and isn't stated enough. People think of DNSSEC as some panacea that "fixes" DNS, but it really does nothing of the sort.
Moxie gave an absolutely fantastic talk at Blackhat a few years ago in which he explained problem as it relates to SSL and a proposed solution: http://www.youtube.com/watch?v=Z7Wl2FW2TcA
Good comment, I use them both with OpenNIC DNS servers which accept both DNSSEC and DNScrypt (based on DNSCurve) encryption.
That said, I understand how the network works up my DNS server. I don't know what happens after that so I can't really argue on how to build a better system but namecoin[1] seems the obvious solution.
Can one of you knowledgable HNers tell me how I, as a dude who owns some domains and occasionally uses DNS to point them somewhere can get on board with this? Or is something that can only be implemented if you're hosting your own DNS?
If you were my client and asked me this, I would probably suggest you wait. My personal guess is that any effort you sink to deploying DNSSEC is going to be wasted, not in the sense that "DNSSEC will have bugs" (though it will), but in the sense of "the world is not going to end up using DNSSEC".
In the immediacy, you should know that deploying DNSSEC isn't going to do anything for the security of your site, nor is it going to make it more reliable for computers around the world to reach your site.
Your domain registrar needs to support it, as they need to push your keys upstream. I currently use Gandi, who do support DNSSEC in their web interface. I think Namecheap support it but you have to email them to get it setup.
You need to run your own DNS server (this is really the whole point of DNSSEC!), and setting it up is an absolute dog atm.
Your zones need to be either online-signed by the authoritative DNS servers for these zones or offline-signed (using e.g. OpenDNSSEC) and then pushed to the authoritative DNS servers. Offline-signing is obviously more secure but signatures need to be refreshed regularly, so it's not sufficient to sign the zone once and be done with it. The zone needs to be resigned and pushed out to the authoritative DNS servers continually. If that process fails somehow, the signatures will expire and your zones will no longer validate. It's like a self-inflicted DoS. Setting this up properly is a nightmare.
The ISP you're hosting your domains at needs to support this.
It used to be possible to get HTTPS on Chrome, without warning, without getting certificates from CA, by using DNSSEC. Nobody used it so it was removed.
Very strange, because this feature was removed from Chrome just after DANE RFC was published and all work is done. It is evident that DANE will kill SSL certification business. The development suspension may result from pressure coming from CA's.
Wow, I didn't know about it! That's a shame it was removed - I couldn't find a site to test it or the issue in Chromium tracker about removing it though.
They've mandated DNSSEC for new gTLDs, and the uptick is usage is almost entirely down to that. 100 or so have been delegated so far, and there are hundreds more in the pipeline. To some extent the 50% stat is meaningless as there's about to be a ton of gTLDs with tiny amounts of traffic relative to .com etc.
[+] [-] tptacek|12 years ago|reply
DNSSEC is a bad idea. It provides very little value. It drastically complicates the Internet. It bakes the worst part of TLS --- the static tree PKI --- into the core design of the Internet... and then gives the root of the tree to the US government. It's clunky, it uses antiquated crypto (its proponents have been trying to standardize it since 1995), and it leaks your private hostnames to the Internet.
I can go on and on and on. Instead, here's some older posts I've written about it:
https://news.ycombinator.com/item?id=5571937
https://news.ycombinator.com/item?id=4071178
https://news.ycombinator.com/item?id=2932378
[+] [-] IgorPartola|12 years ago|reply
Also is there any chance of it actually becoming adopted widely?
[+] [-] zdw|12 years ago|reply
If you think users are confused by SSL warnings now, how the heck would they understand similar errors at the DNS resolver level?
Also, there's no-in flight encryption, so it offers no privacy benefit. It also aggravates DNS amplification attacks.
The better technology to look into if you're concerned about individual user rights and privacy is DNSCurve: http://dnscurve.org
It's not comparable to DNSSEC other than "It uses crypto with DNS" - they have entirely different goals, but the goals it solves are much more relevant to end users (privacy, forgery, etc.).
Personally, I'd recommend people run both techs, as there's no technical reason that makes them incompatible.
I have no idea how to solve the UI problems. We've had 15+ years of SSL and there's been almost no progress on that.
[+] [-] tbrownaw|12 years ago|reply
I thought the problem with CAs was that any compromised CA breaks security on all sites? Whereas with DNS there's one registrar that handles your domain (well, plus the tld admin, but that's still only 2 instead of lots), which is chosen by you rather than any attacker?
The better technology to look into if you're concerned about individual user rights and privacy is DNSCurve: http://dnscurve.org
After re-reading that, I still don't see how it authenticates the DNS server (and if it does, I imagine it could only do so by relying on information from the parent zone). So I'll assume that it's no more resistant to "registrar hack[s] or state level strong-arming" than anything else.
[+] [-] aroman|12 years ago|reply
Moxie gave an absolutely fantastic talk at Blackhat a few years ago in which he explained problem as it relates to SSL and a proposed solution: http://www.youtube.com/watch?v=Z7Wl2FW2TcA
[+] [-] kingzero|12 years ago|reply
https://www.youtube.com/watch?v=K8EGA834Nok
[+] [-] atmosx|12 years ago|reply
That said, I understand how the network works up my DNS server. I don't know what happens after that so I can't really argue on how to build a better system but namecoin[1] seems the obvious solution.
[1] https://www.namecoin.org/
[+] [-] nly|12 years ago|reply
[+] [-] Jgrubb|12 years ago|reply
[+] [-] tptacek|12 years ago|reply
In the immediacy, you should know that deploying DNSSEC isn't going to do anything for the security of your site, nor is it going to make it more reliable for computers around the world to reach your site.
[+] [-] nly|12 years ago|reply
You need to run your own DNS server (this is really the whole point of DNSSEC!), and setting it up is an absolute dog atm.
[+] [-] blumentopf|12 years ago|reply
The ISP you're hosting your domains at needs to support this.
[+] [-] zimbatm|12 years ago|reply
[+] [-] sanxiyn|12 years ago|reply
https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
[+] [-] zhovner|12 years ago|reply
[+] [-] ktt|12 years ago|reply
More information: https://code.google.com/p/chromium/issues/detail?id=50874
And in Mozilla Wiki: https://wiki.mozilla.org/Security/DNSSEC-TLS-details
[+] [-] oliao|12 years ago|reply
[+] [-] spindritf|12 years ago|reply
¹ https://developers.google.com/speed/public-dns/docs/using#se...
² https://unbound.net/
[+] [-] sanxiyn|12 years ago|reply
[+] [-] AndrewDucker|12 years ago|reply
[+] [-] bazzargh|12 years ago|reply
More DNSSEC uptake is still good news though.
Prior to opening the floodgates, DNSSEC was at 35% and climbing slowly: https://www.dns-oarc.net/oarc/data/zfr/root/ds