Domain: dnssec-deployment.org
Stories and comments across the archive that link to dnssec-deployment.org.
Comments · 7
-
Re:DNSSEC is a good subsitute for paid-for CERTs
OK if that's the case how does this sidestep fees (see what I'm replying to)?
Are you so sure it's all going to be done for free?
Isn't this more likely to happen:
. (root) signs
.org and .com etc and charges them $$$$$$$/year .com charges $$/year per domain to sign cnn.com, ebay.com, google.com .org charges $$/year per domain to sign slashdot.org, kernel.org etcThe DNSCurve isn't as amenable to "toll/fee extraction" as DNSSEC is.
See: http://www.dnssec-deployment.org/documents/03-03-Mohan_GTLD_PLANS.ppt
"Current thought process is to not charge a fee"
That proves my point that with the DNSSEC design "collecting a fee" to sign _subordinate_ certs is pretty obvious option, just in 2005 they think it's better not to charge.
If "." starts charging
.org $$$$$$$ to sign .org, .org might have to start charging $$ per domain just to recoup the costs. Not going to happen? Maybe not, but it's not "far out".In contrast, with dnscurve, the design is different, so "collecting a fee" to sign and create a shared secret key for _mutual_ communications is not an option that sticks out as much.
-
Re:Stupid, stupid, stupid!
Well, Microsoft 'sort of' support it.
http://technet.microsoft.com/en-us/library/cc728328.aspx
Basically a (current generation) Microsoft DNS server will correctly serve a signed zone. But it won't calculate the signing itself, and it won't validate the signatures on data it finds.
However, at least one source says that Windows 7 will include DNSSEC support. (And reading the linked blog post, Windows 2008 R2 is going to have DNSSEC support, including signing even on Active Directory integrated zones.)
-
Re:Nice in theory...
-
Actually... they will.Actually....
-
dnssec
we should be talking about how to encourage the deployment
dnssec and related protocol modifications/enhancements.
yes, re-creating the internet from the ground up to be safe from all harm would be nice. i suspect that this effort will take a little while. until then, interim measures should be pursued. dnssec is one of them. -
Deployment in Sweden
A lot is happening with DNSSEC these days. It is being deployed in the ccTLD for Sweden: ".se" Check out
http://dnssec.nic.se/
Tutorial/howto: http://www.ripe.net/disi/dnssec_howto/
$ dig @bind.dnssec.se www.ripe.net +retry=1 +dnssec +multiline
and look for the "flags" to include "ad": ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
http://www.dnssec-deployment.org/
Threat Analysis Of The Domain Name System
IETF RFC 3833 http://www.rfc-archive.org/getrfc.php?rfc=3833
Cache poisoning, in the wild:
http://isc.sans.org/presentations/dnspoisoning.php
http://www.dnssec-deployment.org/epi.htm
http://www.dnssec.net/ -
Deployment in Sweden
A lot is happening with DNSSEC these days. It is being deployed in the ccTLD for Sweden: ".se" Check out
http://dnssec.nic.se/
Tutorial/howto: http://www.ripe.net/disi/dnssec_howto/
$ dig @bind.dnssec.se www.ripe.net +retry=1 +dnssec +multiline
and look for the "flags" to include "ad": ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
http://www.dnssec-deployment.org/
Threat Analysis Of The Domain Name System
IETF RFC 3833 http://www.rfc-archive.org/getrfc.php?rfc=3833
Cache poisoning, in the wild:
http://isc.sans.org/presentations/dnspoisoning.php
http://www.dnssec-deployment.org/epi.htm
http://www.dnssec.net/