Skimming this article, I couldn't tell if it was about DNSSEC or not. But if these are DNSSEC keys, you can safely ignore this story; DNSSEC is a sideshow. It's hopefully never going to see widespread deployment, and regardless of whether it does, it isn't going to make a difference for your security.<p>I've written a bunch about DNSSEC on HN (and elsewhere) and won't preemptively repeat myself. You might consider just taking my word for this.
How did this article manage to not use the byte sequence 'DNSSEC' or mention the fact that it's only deployed on a tiny % of domains under TLDs that support it?<p>Reports like this just add to public misconception.
This is really one of the worst kinds of stories. It's just not true, and not only is it not true, it purports to cover DNSSEC as a technology that people RELY or NEED, when in fact, DNSSEC adoption never gained traction, and actually decreases every single day.<p>Someone spun some crazy PR for this one.
Ok, centralization leads to silly things like this.<p>Namecoin is but one of many ways to decentralize DNS while even while having one centralized registry.
"We peaked at 12."<p>Peaked. And that probably includes the sysadmin who was required to watch it.<p>Where are the articles on the new ridiculous TLD's?<p>A while back the IP address for the FTP copy of the root.zone changed.<p>And sure enough, the file is now full of crap like .buzz, .house and .kitchen<p>I cannot even read through the whole zone anymore. It's too long.<p>There are some gems in there though. And some fool paid $185,000+ for each one.<p>I have been running my own root for years and this is why.<p>Snip, snip. No more .buzz<p>Very easy to set up up your own custom root and to filter out the crap TLD's. But, like with the ceremony in this article, some folks think that ICANN has some sort of "authority" on how people use domain names.<p>Whole .com zone (=public information) fits on a USB stick.<p>And the HOSTS file remains as a failsafe, if you have to use someone else's resolver.<p>And most of the entries in the com.zone are garbage anyway: parked names with ads.<p>Imagine how many different domains the average user will visit in their lifetime. It is but a small fraction of all the names registered.<p>But let's pretend ICANN is relevant.<p>God help us if ICANN should cease to exist.
I'm not a security expert, just an interested amateur.<p>Can someone explain how this step doesn't invalidate all of the hours of ceremony and procedure?<p>"Later Okubo will transmit the key on a secure channel to Verisign and this signed key will be made live across the internet."
I wish this story didn't read like a novel, and actually gave me the meat of the information more quickly. I feel like the way the author told the story diluted the importance of it.
Internet security is pwned by organisations powerful enough to hack into CAs or simply buy one and run them as a covert operation impersonating any site they want by issuing certificates trusted by all web browsers. Internet security broken by design of centralization.<p>Thus if you have IP A you will get fake certificate generated by government owned CA, if you have IP B you will get to the real site. If you are IP A you will get pwned by MITM attack malware the site will look genuine to the browser.
In addition to everything else that's wrong with DNSSEC, using Shamir to share a digital signature key is a silly idea. Multisignature trust systems / threshold signatures provide the same functionality, but without having a single secret that has to live on one computer at a single time. While I know they did their due diligence to prevent the leak of the DNSSEC root key, it's a problem they could've easily avoided by using an incredibly boring design rather than a more "clever" one like Shamir. As things stand, there is actually one key that could completely destroy DNSSEC and require the thing be bootstrapped again from scratch.
"Once activated by the smartcards, this will produce a lengthy cryptographic code. If dropped, or even knocked too hard, the machine will self-destruct."
The first few paragraphs really overdramatize it. It makes it sound like the internet would completely cease to exist if something happened to the root DNS servers. It was so cheesy I just couldn't read anymore after that.