[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad

[bmanning at vacation.karoshi.com]

On Sun, Jun 29, 2008 at 11:50:44PM +0000, Paul Vixie wrote:
> > > dismaying that if there were a business case, then registrar authorization
> > > and security is so weak at present that DNSSEC would be a joke if deployed.
> > 
> > The registrar, or their webgui security, is not involved in me using DNSSEC
> > while on starbucks open wifi sitting next to a bad guy drinking my coffee.
> > 
> > So, not a joke at all. The big difference here is the targetted vs the
> > untargetted/local attacks.
> 
> it will make a difference to you sitting in starbucks if turkish hackers take
> over your bank's registrar account and redirect the NS RRset and DS RRset to
> servers and keys they (the turkish hackers) control.  yes, you will ultimately
> be able to seek compensation from your bank (who would be called incompetent
> by a civil jury or judge) but in the meantime you'll be out the money.  and
> if the victim of the attack isn't a regulated entity like a bank, but rather
> some e-commerce site or some corporate partner of yours, you might never have
> any recourse over whatever information you expose when the victim's registrar
> account is hacked by the turks (or the russians or chinese or americans.)
> 

	this is where -insurance- comes into play.
	Use of DNSSEC (best practices etc) might just equal lower costs for
	my liability insurance.

	If you hand your wallet & PIN(s) to a fly-by-night operator, DNSSEC
	can not save you.  If your e-commerce site of the day or shady coporate
	partner does not practice safe transaction processing - AND - you did not
	practice due diligence, who is at fault?

	DNSSEC means (in my world view) that the bad guys are going to have to touch
	two or three more places than previously for a sucessful attack.  Rasising
	the bar - even a little - is a good thing.

--bill