In the October 2011 issue of the Usenix Associations ";login:" newsletter, I published an article entitled "Other Uses for Secure DNS", with special attention to the IETF DANE working group and the proposed protocol for replacing the X.509 certificate authority system with a secure and scalable system based on Secure DNS.
It has been about six months since I got together with four of my friends from the DNS world and we co-authored a white paper which explains the technical problems with mandated DNS filtering. The legislation we were responding to was S. 968, also called the PROTECT-IP act, which was introduced this year in the U. S. Senate. By all accounts we can expect a similar U. S. House of Representatives bill soon, so we've written a letter to both the House and Senate, renewing and updating our concerns.
“I am relieved.” That lovely double entendre is what Captain Pike said to Captain Kirk at the end of last summer's most excellent reboot of the Star Trek series. I am likewise relieved to have been relieved of my long time post as President of ISC by my good friend and long associate Barry Greene. I continue at ISC as Chairman and Chief Scientist, which is the equivalent (to me) of escaping to the candy factory. When ISC was smaller, this was the half of my job I loved most.
I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.
To mix metaphors, my e-mail has been ringing off the hook after my previous article ("Perspectives on a DNS-CERT") and I've had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I've had some discussions with ICANN and with members of the DNS-OARC board and staff, and it's time I checkpointed the current state of my thinking about all this.
I seem to read all the time that open source projects must be less secure, since the bad guys can look through the source code to find vulnerabilities. I was pleased to see an article today that takes the point of view that security through obscurity is not the right direction and that open source projects can be more secure than competing proprietary software.
In this interview we see yet another attempt by a technology executive to discredit all roads that do not lead to their products and services. Since in this case the creative pot shots are aimed at my company's products and services, and since this is far from the first time these canards have been trotted out, I've decided to respond for the record.
[DNS] is an industry that has seen very little innovation.
This week at the ICANN meeting in Nairobi, a plan was announced by ICANN staff to create a "CERT" for DNS. That's a Community Emergency Response Team (CERT) for the global Domain Name System (DNS). There are all kinds of CERTs in the world today, both inside and outside the Internet industry. There isn't one for DNS, and that's basically my fault, and so I have been following the developments in Nairobi this week very closely.