Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Government The Internet News

Experts Tell Feds To Sign the DNS Root ASAP 147

Posted by kdawson from the digital-john-hancock dept.
alphadogg sends along news that the US National Telecommunications and Information Administration has gotten plenty of feedback on its call for comments on securing the root zone using DNSSEC. The comment period closed yesterday, and more than 30 network and security experts urged the NTIA to implement DNSSEC stat. There were a couple of dissenting voices and a couple of trolls.
This discussion has been archived. No new comments can be posted.

Experts Tell Feds To Sign the DNS Root ASAP More

Experts Tell Feds To Sign the DNS Root ASAP

Comments Filter:

  • Re:An explanation please? (Score:5, Informative)

    by Anonymous Coward on Tuesday November 25, 2008 @04:05PM (#25890455)

    It's about the DNS poisoning attacks from a few months ago. DNS Sec works properly when the top servers can vouch for the next server down the tree, but this only works if the top servers are secured with a well known public key.

    The issue is that the Federal bureau in charge of the root servers felt it had to go through the same bureaucratic process of getting consent, comments and so on and so forth that all federal regulations have to go through, by law. This takes a while, and a lot of people think they should have just done it.

    John Roth

  • Re:DNSSEC ready for prime time? (Score:3, Informative)

    by Cyberax ( 705495 ) on Tuesday November 25, 2008 @04:39PM (#25890973)

    NSEC3 (http://tools.ietf.org/html/rfc5155) solves most of initial DNSSEC problems. But it's not yet supported by production versions of major DNS servers.

  • Re:Why would the establishment prefer DNSSEC (Score:3, Informative)

    by MasterOfMagic ( 151058 ) on Tuesday November 25, 2008 @05:05PM (#25891395) Journal

    Because SSL and DNSSEC solve two different problems. Unless you're doing DNS-over-SSL, which means running DNS in TCP mode.

  • Re:Probably means you pay more actually. (Score:5, Informative)

    by jonaskoelker ( 922170 ) <`jonaskoelker' `at' `yahoo.com'> on Tuesday November 25, 2008 @05:33PM (#25891827)

    You'll still need CAs.

    How does DNSSEC stop the browser from giving Joe User a warning box that the https cert is not signed by a recognized CA?

    That's the only real reason why you pay CAs to sign your certs - to stop Joe User from being bothered it.

    You don't need the CAs, once applications are rewritten to grab keys from the DNS instead.

    Using DNS as a PKI means that my DNS provider is now my CA. If I grab jonaskoelker.free-dns.com and I start out with only a trusted root key, I can learn free-dns's key and trust them. I can then securely send them my key, which they sign for free, along with my signed records.

    Then, when you go to jonas.free-dns.com with a modified firefox, that firefox will trust the DNS key for jonas.free-dns.com as an SSL key for jonas.free-dns.com as well, and you'll trust that the guy whose server you're talking to is the same guy as the one who got the name in the first place.

    With a changed Firefox, you won't need a CA.

    Now, changing how "we" (meaning our browsers) decide whether to trust a site may not be easy, but it can be done.

    If your DNS parent is com, all I can say is "Meet your new CA, same as the old CA" ;)

  • Re:Trolls equal... (Score:3, Informative)

    by Ihmhi ( 1206036 ) <i_have_mental_health_issues@yahoo.com> on Tuesday November 25, 2008 @07:22PM (#25893273)

    TouchSlashcodefucksupUnicode.

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close