Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

.ORG Zone Signed With DNSSEC 89

Posted by kdawson from the baby-steps-to-security dept.
lothos and several other readers let us know that the Public Interest Registry has announced the key-signing key to validate the signatures on the ORG zone. A few more details are on the PIR DNSSEC page. PC World interviewed PIR CEO Alexa Raad and writes: "On June 2, PIR will announce that it is signing the .org domain with NSEC3 and that it has begun testing DNSSEC with a handful of registrars using first fake and then real .org names. PIR plans to keep expanding its testing over the next few months until the registry is ready to support DNSSEC for all .org domain name operators. Raad says she expects full-blown DNSSEC deployment on the .org domain in 2010."
This discussion has been archived. No new comments can be posted.

.ORG Zone Signed With DNSSEC More

.ORG Zone Signed With DNSSEC

Comments Filter:

  • DNSSEC and domains and subdomains? (Score:4, Interesting)

    by Midnight Thunder ( 17205 ) on Wednesday June 03, 2009 @08:10AM (#28194013) Homepage Journal

    So what does this mean for domains in the .org realm? Should people be adding DNSSEC to their own domains, and if so what sort of cost should we expect? Also, how does software on a PC validate that a domain is signed?

  • Yes but how do I implement it... (Score:5, Interesting)

    by Anonymous Coward on Wednesday June 03, 2009 @08:32AM (#28194167)

    Every time some organisation wants to push some new system or regime they drop into hype overdrive. There are emails, announcements, articles, PDFs a plenty, but try as you might, the actual information you need to enable you to implement stays carefully hidden from view. This isn't about security; if it was the technical details of configuration and operation would be at the top of the list of files to view. It is about some organisation seeking praise and glory for doing something or other.

  • What should domain owners do? (Score:3, Interesting)

    by GlobalEcho ( 26240 ) on Wednesday June 03, 2009 @09:42AM (#28194919)

    As the owner of a .org domain (used for a few websites and email) is there anything I ought to be doing based on this? I'm registered at Dotster, hosted elsewhere (Dreamhost).

  • Re:Assumes a centralized DNS system (Score:1, Interesting)

    by Anonymous Coward on Wednesday June 03, 2009 @09:48AM (#28195011)

    The public root key is like the certificates which are installed in your browser: Unlike the keys of delegated zones, it forms a direct trust relationship, independent of further signatures, so it is indeed much like a self-signed certificate.

    An alternative root can establish a completely separate namespace or it can integrate with the "official" DNS namespace and modify it by delegating certain names differently. There is no provision in DNSSEC which allows zones to reject delegations from "unauthorized" higher level zones. Authorization is strictly top-down.

  • Why DNSSEC? (Score:2, Interesting)

    by Moxon ( 139555 ) <abuse@viggen.net> on Wednesday June 03, 2009 @10:41AM (#28195703)

    I've read about what DNSSEC does, but I haven't found is an actual reason why anyone should care. Is there one?

    Seems to me it kinda-sorta solves a few non-problems, and any actual problems it might touch upon have been solved better by SSL certificates years ago. Is it just that ISC is envious of the SSL cert sellers, and want to create a new action they can have the largest piece of?

  • Re:Assumes a centralized DNS system (Score:3, Interesting)

    by Kjella ( 173770 ) on Wednesday June 03, 2009 @11:21AM (#28196295) Homepage

    I don't think it will happen for the very same reasons you state.

    It's not as difficult as you think:
    1. Start a new root
    2. Root has your domains, but redirects all old domains to the US-controlled system
    3. Require ISPs to point to the new root (it's the government, make it tue law)
    4. Set a grace period for old domains to register with you
    5. Make the cybersquatting reesolution process hell if you don't use the grace period
    6. Turn off the lights on the old domains, alias them to the new ones

    So you own google.com, EU starts with .comx - better register it or some porn site will take over google.comx until you can get it back. Repeat BS process a few times like the digital TV conversions by offering extensions and saying this time we're REALLY doing it. When you have enough on board, turn off the lights on the old .com, have it resolve same as .comx site. No "black net" sudden transition.

  • Re:DNSSEC and domains and subdomains? (Score:3, Interesting)

    by Nevyn ( 5505 ) * on Wednesday June 03, 2009 @01:30PM (#28198255) Homepage Journal

    Even without a Cert, you will know that you are at YOUR bank's website, because you will be able to walk up the tree with signed records.

    No, you would know that you are at "yourbank.com" you wouldn't know that it's "YOUR bank's website" ... which is the problem the new super certs. are trying to address.

  • Re:djb (Score:3, Interesting)

    by MikeBabcock ( 65886 ) <mtb-slashdot@mikebabcock.ca> on Wednesday June 03, 2009 @04:32PM (#28200691) Homepage Journal

    Maybe you should actually read up on why Dan's right or wrong about DNSSEC and make a point instead of harping on about his attitude issues.

    He may have a god complex, but he's rarely wrong, so you might want to prove him wrong before you assume you have the right to judge his attitude.

Slashdot Top Deals

Without life, Biology itself would be impossible.

Close