About the author
Willem Toorop is a developer and researcher at NLnet Labs. NLnet Labs is a non-profit research lab dedicated to the development of Open Source software and open standards for the benefit of the Internet. NLnet Labs mission is to provide globally recognized innovations and expertise for those technologies that turn a network of networks into an Open Internet for All. At NLnet Labs, Willem's topics of interest are end-user security and privacy. Willem has actively researched how DNSSEC may be hampered for end-users and looked into strategies to overcome such roadblocks. The results of this research are incorporated in the getdns resolver library and its associates stub resolver Stubby. Besides his work on getdns and Stubby, Willem is also the primary maintainer and developer of the other NLnet Labs DNS libraries: ldns and Net::DNS.
DNSSEC is not only just a security measure, it is also a viable alternative for the flawed PKIX based on Certificate Authorities. With DANE (the DNSSEC based PKIX) domain owners can vouch for their own services themselves, without needing the third party Certificate Authority. DANE is already increasingly used with infrastructural services such as SMTP, but currently uptake on end-points is hampered by interfering middle-boxes. Benno Overeinder wrote an excellent blog-post on these matters earlier this year: https://labs.ripe.net/Members/benno_overeinder/bringing-dns-security-and-privacy-to-the-end-user Work to overcome the issues in bringing DNSSEC to the end-user devices is in progress. For example with the DNSSEC chain TLS extension with which the DANE record including all DNSSEC data needed to authenticate a TLS session is transferred in band in the TLS session, bypassing the DNSSEC hampering middleboxes: https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/
Showing 1 comment(s)