For years now we’ve known that DNS is broken. Thankfully, a solution is on the way. DNSSEC provides a layer of security on top of the existing DNS architecture allowing clients to verify that the DNS information they receive has not been tampered with. In the next few years we should see (hopefully) widespread adoption of this standard. With DNSSEC in place we can trust DNS, and this leads to an interesting corollary. We might not need SSL certification authorities anymore.
SSL CAs provide a base to the SSL web of trust. In fact, it really isn’t a web at all, it’s a tree, and a shallow one at that. It starts at the collection of well respected CA organizations (Verisign, Twarte, etc.) and people pay lots of money to get their certificates signed by one of them. These certificates are then used on servers and verified by clients using a list of these trusted authorities.
The DNSSEC web of trust is actually a lot simpler. Instead of a collection of authoritative (i.e. blindly trusted) organizations there is one, ICANN, the Internet Corporation of Assigned Names and Numbers. They already run the root DNS servers, and by signing the root zone with DNSSEC they become the start of a hierarchical chain of trust that runs from them, to the TLD registrars, to the individual domain owners.
Why might we not need the SSL CAs anymore? If your DNS records are secured by this global trust framework, you can just put your certificate into a DNS record. When verifying it a client simply has to look it up, and since DNS is trusted you get the same security guarantee you had originally. There are some downsides. Doing things this way is putting an awful lot of eggs in one basket. With DNSSEC and SSL CAs there are two authorities that must agree before the site is considered safe. With only DNSSEC a compromise would send the whole system crashing down. Also, if companies like Verisign see this coming and don’t want to lose their lucrative SSL certification business they might start charging to get your domain signed. That might not be a good thing for the Internet as a whole, but since when do corporate interests care.
Before any of this can happen, of course, DNSSEC will need to be widely deployed and supported by DNS servers and clients. Support for this particular application will also require modification to any system that does SSL verification. All in all, we’re talking about at least 5, if not 10 years from now.
Update: Looks like somebody posted a draft of a standard for doing this back in 2002.