Slashdot Mirror

← Back to Stories (view on slashdot.org)

Working Around Slow US Gov. On DNS Security

Posted by kdawson on from the kicking-the-dragging-feet dept.

alphadogg writes "Last fall, the US government sought comments from industry about how better to secure the Internet by deploying DNSSEC on the root zone. But it hasn't taken action since then. Internet policy experts anticipate further delays because the Obama Administration hasn't appointed a Secretary of Commerce yet, the position that oversees Internet addressing issues. Meanwhile, the Internet engineering community is forging ahead with a stopgap to allow DNSSEC deployment without the DNS root zone being signed. Known as a Trust Anchor Repository, the alternative was announced by ICANN last week and has been in testing since October."

3 of 91 comments (clear)

  1. DNSSEC is a good subsitute for paid-for CERTs by wayne · · Score: 4, Informative

    To the contrary, DNSSEC could possibly kill the goldmine that is the SSL cert racket. That is, unless having your DNS entry signed somehow becomes a "value added" service you need to pay for extra. I'm a layman here, but glancing at how DNSSEC works, I see no obvious way selectively signing some but not the rest of entries could work. This means, DNSSEC would provide a more secure way to give the public key to a viewer.

    You may be a layman, but you appear to have far more clue about this stuff than most. Yes, once DNSSEC is deployed, anyone with a domain name can publish CERT records and have about the same security as a paid-for CERT. Granted the cert authorities right now require you to give your name and address and such, which publishing CERT records in the DNS won't require so they aren't exactly the same, but close enough considering how little checking the cert authorities do on such information

    --
    SPF support for most open source mail servers can be found at libspf2.
    1. Re:DNSSEC is a good subsitute for paid-for CERTs by Anonymous Coward · · Score: 1, Informative

      DNSSEC does not encrypt DNS responses, but it authenticates them. That's the whole point.

      If your browser connects to slashdot.org, the root server will reply with records which are signed with the private root key. The public key for the org domain is one of those records. Your computer verifies the records with the public root key, which is stored in the resolver configuration. The org server will respond with records which are signed with the private org key. The public key for the slashdot.org domain is one of those records. Your computer verifies the records with the public org key which it got from the root server. The slashdot.org server will respond with records which are signed with the private slashdot.org key. The SSL key could be one of those records, and your computer can verify the authenticity with the slashdot.org public key which it got from the org server.

      An attacker can not sign records with the appropriate keys.

  2. Re:DNSSEC overrated by cakefragment · · Score: 3, Informative

    Signed zone data is not reliant on x509 certificates; algorithms defined in RFC 4034 are RSA/MD5, Diffie-Hellman, DSA/SHA-1, Elliptic Curve, RSA/SHA-1, and room for ~245 future algorithms. There is no identity information stored in the keys used for DNSSEC, so you should be able to generate the keys yourself.