Dot-Org TLD Signed For DNSSEC

graychase writes "A major milestone is reached as the first major top-level domain (.org) is now secured with DNSSEC. The expense to .org for implementing DNSSEC on its infrastructure and operations has not been a small one. While specific figures as to the cost of DNSSEC implementation haven't been released, Afilias, which is the technical operator of the .org registry, told InternetNews.com in 2009 that the DNSSEC implementation would be a multi-million-dollar effort. The cost isn't going to be passed on by .org to domain registrars. The move toward securing the .org registry with DNS security started in September 2008, following the Kaminsky DNS flaw disclosure."

.org first over .com ??

[capnchicken]

Seems odd, too many .com's perhaps?

As an end-user, is there some way to tell?

[JSBiff]

As an end-user, is there some way for me to tell if a domain has been authenticated along the whole chain by DNSSEC? Do any of the web-browsers, for example, include DNSSEC support, to show that a domain has been verified? Or, is DNSSEC only a server-to-server tech, but doesn't extend to end users? If it does extend to the end-user computer, can I use DNSSEC on an un-trusted network, to connect securely to my ISP's DNS Server (or google dns, or OpenDNS, etc), to make sure I'm getting back the correct DNS info (I suppose the 'real' answer for such a situation, at least currently, is a VPN, although some organizations [like where I work] have VPN's that only tunnel traffic to the secured network, and won't tunnel any other traffic, so such a VPN doesn't protect you when visiting any other sites/hosts on the internet).

I think it would be nice, if I don't have access to a real VPN connection, to at least be able to make sure that DNS is secured and trustworthy (although that, of course, doesn't guarantee that there aren't any man-in-the-middle attacks).

Re:But is there any working software?

[TheRaven64]

unless I'm missing something key here?

The user interface. The browser should be able to warn you if you're not getting DNS records via DNSSEC.

Re:As an end-user, is there some way to tell?

[cybaz]

There is a Firefox plugin that will give a key icon if the domain is signed with DNSSEC https://addons.mozilla.org/en-US/firefox/addon/64247/ [mozilla.org]

Re:Browsers

[bill_mcgonigle]

Browsers? They shouldn't care about DNSSEC either way, all of that should be handled by the local resolver. To be fair I'm presuming here that you mean web browsers as opposed to say DNS browsers.

What should the user see if a DNS failure occurs because of a failed signature? "Host not found?" Something like a TLS certificate mismatch dialog?

Slashdot

[Anonymous Coward]

When will slashdot.org be signed?

Re:There will be a lot more TCP (and IPv6) queries

[penguin359]

The DNS extension called EDNS0 allows larger UDP DNS queries so that TCP can be avoided. The size for UDP queries is now at 4096 bytes from the 512 byte limit without EDNS0. A lot of the preparation going into DNSSEC has been testing for resolvers with broken EDNS0 support. I find that the vast majority of my DNS queries with DNSSEC enabled are still successfully sent as UDP with EDNS0 currently.