June 25, 2011

DNS + DANE = Dumb, Dumber, Disaster - Or - How to Wreck Secure Internet Communications

In response to some comments I made earlier today regarding the limitations of DNSSEC, several people asked for my thoughts on a proposed extension to DNS called "DANE" (that effectively has DNSSEC as a prerequisite).

The idea of DANE is to use a "secure" DNSSEC environment to exchange the digital certificates required for secure host-to-host communications (that enable what is commonly called "SSL/TLS/https:" data transfers).

Oh yeah, DANE is just a, uh, "dandy" idea - IF your goals are the following:

1) Make virtually all common Internet secure communications dependent on the structurally obsolete DNS/DNSSEC model, thereby further entrenching the domain-industrial complex and the enrichment of its minions, by giving even more power to ICANN, registrars, and registries, etc.

2) Assure that the world's secure communications infrastructure (PKI) is easily and directly vulnerable to the same sorts of government overreaching and abuses that have characterized U.S. takedowns of domains around the world -- including vast numbers of innocent domains -- usually without significant due process, consultation, or adherence to the rights of either domestic or international domain owners.

So yes, if you enjoy watching the shenanigans of the current "DNS Mafia" and government malfeasance directed at the Domain Name System both domestically and internationally, and you want to see them anointed with more riches and puissance, you're gonna just love DANE.

Sign up now. Don't forget the cyanide-laced Kool-Aid for later.


Posted by Lauren at June 25, 2011 10:49 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein