12:19PM central time - The chairman, Rep. Smith, was asking whether this bill would impact our ability to implement DNSSEC. He seemed legitimately concerned that it could weaken security on the internet.
I have no idea whether there's any basis for concern, but I'm sure we have some DNSSEC experts here on HN. Comments?
Perhaps. But this bill would breaks DNSSEC for the same reasons that it breaks "infringement-inducing sites". It's going to pose the same difficulty to any other organized security features added to DNS.
Skimming the site, it looks to me like DNSCurve is more of a transport protocol for DNS records, almost like running DNS over DTLS. This would certainly be a useful improvement, but I don't see where it talks about how the records are authenticated.
It is pushing off the "do you trust (Versign+USDoJ | greatfirewall.cn) to give you the legitimate answer to your .com query" problem. Which is the kind of problem that the Internet is good at routing around but would be bad for it to do so.
E.g., users will (at best) change to alternative DNS systems or (at worst) toss out this hierarchical authority naming concept entirely. Consider how many users simply wouldn't notice if Google started returning IP addresses or proxy names for search results. Or maybe they set up an alternate with their own naming scheme for Chrome, Android, ChromeOS, and everyone with their search bar. (Oh wait, I just Googled it and they already did that and I didn't notice http://www.infoworld.com/t/dns/google-launches-alternative-d... )
If Google does it, then Microsoft must too. And Amazon, and The Pirate Bay and so then we need a protocol for deciding which DNS system the client will use on a per-request basis, and civil-rights-disrespecting governments try to sabotage that too and round-we-go the Internet we know and love is circling the drain.
The point of DNScurve is not to bother attempting to create a cryptographic chain of custody for all DNS records (which is what DNSSEC does), at least not until after we've set it up so that a browser can make a request of a server that cannot be tampered with.
It is a vastly simpler, tactical solution to the DNS "security problem" (I'm a skeptic about the long term importance of this problem too).
Google Public DNS isn't some kind of alternative to normal DNS. It's just a set of domain name servers owned by Google that return exactly the same results any other conforming DNS would.
The TOR .onion URL scheme is closer to what you're talking about, I think. It actually does present an alternate domain that isn't available outside of TOR.
A friend was using OpenDNS for a while, until we figured out they were MitMing google.com and intercepting his queries. I wonder if they still do that.
Of course, ICANN has decided to begin selling TLDs for a $200K application fee. There goes the neighborhood.
In essence, any measure that involves changing the contents of the DNS (by filtering etc.) is indistinguishable from a man-in-the-middle attack which is what DNSSEC is trying to stop.
I have no idea whether there's any basis for concern, but I'm sure we have some DNSSEC experts here on HN. Comments?