The DNS security mess

D. J. Bernstein

The Domain Name System publishes records such as `` has IP address'' An attacker can easily forge these records, stealing your incoming and outgoing mail, web connections, etc.

Stopping DNS forgeries is a straightforward application of public-key cryptographic signatures. Or is it? After ten years of effort, the DNSSEC implementors are making comments like ``We're still doing basic research on what kind of data model will work for dns security ... wonder if THIS'll work? ... We're starting from scratch.''

Why is it so hard to protect DNS against forgery? Is DNS security going to remain an abject failure for another ten years? This talk is a case study of the integration of cryptography into the real world.

Gates 4B (opposite 490), 02/11/2003, 4:30 PM