a) SSL is worth jack shit. It only tells me that some person paid some obscenely large sum of money to some company so that my address bar glows in green. CAs do a very bad job at verifying their customers. There have been valid certificates at pishing sites and valid certificates with fake data.
DNSSEC wont't fix that. But it will guarantee that when I type bankofamerica.com in my browser, I will land at bankofamerica.com, even if someone tries to hijack me.
b) We do need DNSSEC. Please go and watch Dan Kaminsky's talk about the ramifications of the DNS bug he publicized. Everything in the end falls back to DNS. Want a SSL cert? You will receive it per mail. Guess how the CAs mail server will find your company's mail server...
c) Please don't start with "secure the connection" instead of "secure the data". Even if I know that the line between my computer and my DNS server is secure, I can't trust my DNS server.
I'm ruefully amused at your suggestion that I go look up Kaminsky's talk. Yeah, I'll get right on that.
Your comment overall makes very little sense. The problem you're alluding to --- the one that means "SSL is worth jack shit" --- is a user interface problem. It's a serious one, but not only does it not go away in a DNSSEC world, it actually gets far worse.
DNSSEC isn't a magic bullet that solves the logistical problems of verifying Internet identities. The market has been beating the crap out of mutual authentication for financial websites for over 15 years. The company with a real solution to that problem will make billions of dollars. DNSSEC isn't that; it's a bunch of guys on a mailing list arguing about the one piece of the stack that they've chosen to fixate on --- and the surprisingly bad solution that resulted from the process.
This isn't just my opinion, by the way. Read every working group post (like I did) and watch Vixie's tone as the protocol evolves from what TIS came up with to where it is now, when he starts saying, in effect, "anything, anything, let's just get something deployed!"
a) SSL is worth jack shit. It only tells me that some person paid some obscenely large sum of money to some company so that my address bar glows in green. CAs do a very bad job at verifying their customers. There have been valid certificates at pishing sites and valid certificates with fake data.
I agree here, except I think you meant to say that SSL certs are worth jack. And that's entirely true, as far as I know. SSL the protocol is probably more or less ok.
I disagree with you in that I don't trust the competence of the designers of DNSSEC. We may need something similar, but I doubt that DNSSEC as it exists today is it.
Anybody who tells you that "SSL the protocol is fine, just ignore the signatures" isn't qualified to have an opinion about the relative security of crypto protocols. Without certificates, SSL offers no security.
a) SSL is worth jack shit. It only tells me that some person paid some obscenely large sum of money to some company so that my address bar glows in green. CAs do a very bad job at verifying their customers. There have been valid certificates at pishing sites and valid certificates with fake data.
DNSSEC wont't fix that. But it will guarantee that when I type bankofamerica.com in my browser, I will land at bankofamerica.com, even if someone tries to hijack me.
b) We do need DNSSEC. Please go and watch Dan Kaminsky's talk about the ramifications of the DNS bug he publicized. Everything in the end falls back to DNS. Want a SSL cert? You will receive it per mail. Guess how the CAs mail server will find your company's mail server...
c) Please don't start with "secure the connection" instead of "secure the data". Even if I know that the line between my computer and my DNS server is secure, I can't trust my DNS server.