Avatar (Fabio Alessandro Locati|Fale)'s blog

FOSDEM - day 1

January 30, 2016 - Bruxelles, BE

After one day at FOSDEM, I’ve to admit that people are not lying when they affirm that FOSDEM is awesome. It really is.

Today I had the occasion of following multiple very interesting talks. The only problem I’ve found with the FOSDEM organization is that too often there are multiple very interesting talks at the same time and you have to pick only one (unless you have ubiquity capabilities, but I don’t). I think one of the most interesting talk of the day - at least for me - was the Lennart Pottering one.

In this talk Lennart spoke a little bit about the past and near future or systemd, but mainly about DNSSEC, it’s implementation and the consequences of the implementation. This led me to think more about it since I’m interested in the security side of the Information and Communication Technology and DNSSEC could be a game changer, but today is not possible to be enabled (at least not with a strict policy) by default since it would break multiple environments.

As Lennart said, and I completely agree with him, this is a configuration problem, because for years the networks have been configured badly by sysadmin and netadmin since nothing was relying on a network based on security. I see very often very badly engineered networks. Some of them are so broken that even with a very unsafe configuration of DNSSEC they would break, since they use fake FQDN (without owning the real domain) and/or use IP classes outside the ones reserved for local networks.

I think DNSSEC should be pushed a lot in this historical moment, because some companies are starting to re-engineering their networks since they hit the limit of their current design and/or are implementing IPv6. This would be a very good moment to implement DNSSEC in their whole infrastructure. The real risk, in my opinion, is that companies loose this occasion and therefore create a network that will not work properly with DNSSEC enabled and therefore they will have to make changes to allow DNSSEC to work and this would, ultimately, slow down the adoption of DNSSEC.