Dot-Org TLD Signed For DNSSEC 58
graychase writes "A major milestone is reached as the first major top-level domain (.org) is now secured with DNSSEC. The expense to .org for implementing DNSSEC on its infrastructure and operations has not been a small one. While specific figures as to the cost of DNSSEC implementation haven't been released, Afilias, which is the technical operator of the .org registry, told InternetNews.com in 2009 that the DNSSEC implementation would be a multi-million-dollar effort. The cost isn't going to be passed on by .org to domain registrars. The move toward securing the .org registry with DNS security started in September 2008, following the Kaminsky DNS flaw disclosure."
.org first over .com ?? (Score:2, Interesting)
Seems odd, too many .com's perhaps?
As an end-user, is there some way to tell? (Score:4, Interesting)
As an end-user, is there some way for me to tell if a domain has been authenticated along the whole chain by DNSSEC? Do any of the web-browsers, for example, include DNSSEC support, to show that a domain has been verified? Or, is DNSSEC only a server-to-server tech, but doesn't extend to end users? If it does extend to the end-user computer, can I use DNSSEC on an un-trusted network, to connect securely to my ISP's DNS Server (or google dns, or OpenDNS, etc), to make sure I'm getting back the correct DNS info (I suppose the 'real' answer for such a situation, at least currently, is a VPN, although some organizations [like where I work] have VPN's that only tunnel traffic to the secured network, and won't tunnel any other traffic, so such a VPN doesn't protect you when visiting any other sites/hosts on the internet).
I think it would be nice, if I don't have access to a real VPN connection, to at least be able to make sure that DNS is secured and trustworthy (although that, of course, doesn't guarantee that there aren't any man-in-the-middle attacks).
Re:But is there any working software? (Score:3, Interesting)
unless I'm missing something key here?
The user interface. The browser should be able to warn you if you're not getting DNS records via DNSSEC.
Re:As an end-user, is there some way to tell? (Score:2, Interesting)
Re:Browsers (Score:3, Interesting)
Browsers? They shouldn't care about DNSSEC either way, all of that should be handled by the local resolver. To be fair I'm presuming here that you mean web browsers as opposed to say DNS browsers.
What should the user see if a DNS failure occurs because of a failed signature? "Host not found?" Something like a TLS certificate mismatch dialog?
Slashdot (Score:2, Interesting)
When will slashdot.org be signed?
Re:There will be a lot more TCP (and IPv6) queries (Score:2, Interesting)