Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

.ORG Zone Signed With DNSSEC 89

Posted by kdawson from the baby-steps-to-security dept.
lothos and several other readers let us know that the Public Interest Registry has announced the key-signing key to validate the signatures on the ORG zone. A few more details are on the PIR DNSSEC page. PC World interviewed PIR CEO Alexa Raad and writes: "On June 2, PIR will announce that it is signing the .org domain with NSEC3 and that it has begun testing DNSSEC with a handful of registrars using first fake and then real .org names. PIR plans to keep expanding its testing over the next few months until the registry is ready to support DNSSEC for all .org domain name operators. Raad says she expects full-blown DNSSEC deployment on the .org domain in 2010."
This discussion has been archived. No new comments can be posted.

.ORG Zone Signed With DNSSEC More

.ORG Zone Signed With DNSSEC

Comments Filter:

  • djb (Score:3, Informative)

    by Gothmolly ( 148874 ) on Wednesday June 03, 2009 @08:04AM (#28193985)

    We need a 'djb' tag. Dan's been talking about, and working on this kind of thing for years.

  • Re:DNSSEC and domains and subdomains? (Score:5, Informative)

    by Anonymous Coward on Wednesday June 03, 2009 @08:26AM (#28194127)

    DNSSEC is a public key system in which each nameserver signs the records for which it is authoritative. Encryption is not used, to avoid a per-request overhead. A resolver can validate signed records because the public keys of delegated zones are records delivered by higher level servers, starting at the root servers. The .org domain delivers signed records now, so nobody can fraudulently claim to be authoritative for .org in communications with a validating resolver anymore. They can still claim to be authoritative for your domain under .org, unless you also sign your records and add the public key to the delegation records for your domain.

  • Re:Assumes a centralized DNS system (Score:2, Informative)

    by Anonymous Coward on Wednesday June 03, 2009 @08:33AM (#28194183)

    The DNS can be "forked" by installing and using different root servers and DNSSEC doesn't change that. The alternative root servers simply have to sign all their records with the key of the alternative root and users have to replace the official public root key with the public key of the alternative root in their resolver configurations.

  • Re:Yes but how do I implement it... (Score:3, Informative)

    by Tony Hoyle ( 11698 ) <tmh@nodomain.org> on Wednesday June 03, 2009 @08:48AM (#28194285) Homepage

    It's pretty hard to implement right now.. a bunch of shell scripts and editing with vi, and even then I've never got it to work. One key thing is it's incompatible with dynamic DNS so you can only use it on static zones.

    The other thing is for it to work it has to be signed by a parent zone.. or in other words, more excuses for verisign to charge $$$ per year for doing almost nothing. This, of course, is why it's being pushed so much.. there's money in it.

  • Re:djb (Score:1, Informative)

    by Anonymous Coward on Wednesday June 03, 2009 @09:28AM (#28194701)

    We need a 'djb' tag. Dan's been talking about, and working on this kind of thing for years.

    If 'this kind of thing' means DNSCurve [dnscurve.org] rather than DNSSEC [ietf.org] then sure, you are dead on! But rather we can see that DNSCurve != DNSSEC. DJB is, as usual, thinking that his idea's are better than an entire consortium and I'm sure that we will see him continue to break RFC at his whim because he simply does not understand, he thinks that he is better than others or some magical being had tapped him on the shoulder. Maybe you should take a trip back in a TARDIS [wikipedia.org] to [wikia.com] last year [slashdot.org]?.

    I know... I know, don't feed the trolls.

  • You do, but the encryption part is relatively easy; it's the authentication that's hard. Right now, Verisign et al charge megabucks for "Extended Validation" certificates (mostly to banks, insurance companies, etc.) whose only advantage over a regular "el cheapo" SSL cert is the supposed additional validation.

    Securing DNS would let you use it for validation, rather than the SSL certificate trust chain. So the E.V. certs would really not be necessary anymore.

    Actually I think securing DNS would make MITMs a lot harder (although I wouldn't go so far as to say 'impossible') because most current MITM attacks rely on DNS poisoning.

  • Re:Yes but how do I implement it... (Score:4, Informative)

    by kv9 ( 697238 ) on Wednesday June 03, 2009 @12:47PM (#28197547) Homepage

    Yes but how do I implement it...

    fast and easy. [isc.org]

  • Re:Why DNSSEC? (Score:3, Informative)

    by jhutkd ( 217409 ) on Wednesday June 03, 2009 @03:39PM (#28199885) Homepage

    DNSSEC address issues that include the Kaminsky cache poisoning attack from last summer. The idea of DNSSEC is that when you get a DNS record back, you can use crypto to verify that it the actual record (such as the IP address(es) for a web site) served by a domain.

    If you're seriously interested in _why_ someone should care about DNSSEC, check out this 4 minute tech-talk:
          http://www.youtube.com/watch?v=Yt-oJTj0j0o

  • Re:Assumes a centralized DNS system (Score:1, Informative)

    by Anonymous Coward on Thursday June 04, 2009 @09:11AM (#28208321)

    You do not understand how DNS works. There is no centralized service pointing to the "real" roots. ICANN can't do a thing.

    The ones pointing to the root is the ISPs. That was taken care of in pt. 3.

Slashdot Top Deals

And it should be the law: If you use the word `paradigm' without knowing what the dictionary says it means, you go to jail. No exceptions. -- David Jones

Close