Towards The Domain Key Infrastructure presented at Berlinsides 2010

by Dan Kaminsky,

Tags: DNS


Summary : DNSSEC + Magic Code Fu > X.509
We've really got to get past passwords. That much is obvious. But X.509 based PKI does not work -- hundreds of millions of dollars of failed deployments make that even *more* obvious. So what do we do? Much to my surprise, DNSSEC. For various architectural reasons (effective delegation, one root instead of a thousand, exclusion), DNSSEC provides a remarkable foundation for keying -- thus, DKI, or Domain Key Infrastructure. But all the theory in the world is irrelevant without working code. With the release of the Phreebird Suite, it is now possible to: * Deploy DNSSEC records w/o any complex preconfiguration * Validate DNSSEC records, end to end * Upgrade OpenSSL dependent apps to use DNSSEC for chain validation (with no code changes) * Federate authentication in OpenSSH * Finally secure email There's been a lot of talk about how DNSSEC is going to change security. This is the beginning of code that shows the way.