Penguin
Note: You are viewing an old revision of this page. View the current version.

A standard for signing DNS packets, so you can be sure that they aren't faked. This is important to prevent DnsSpoofing? attacks.

DNSSEC relies on the root zone file being signed by a key that everyone trusts. The problem is, noone signs the root zone file, so the entire system falls apart. You can sign your own zone files, then trust them, which gives you security for some zones, but still says nothing about the rest of them.

I think people aren't interested in using DNSSEC since it would reduce the value of SSL, and therefore reduce the value of SSL Certificates which they sell. (As an aside, if you work out a 128 bit SSL Certificate is 8 bytes, and they charge multiple hundred dollars for them. So, about $50US/byte.

See http://www.dnssec.net/