Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Will Support DNSSEC In .com By 2011

Posted by kdawson on from the phish-while-you-may dept.

alphadogg writes "VeriSign has promised to deploy DNS Security Extensions, known as DNSSEC, across all of its top-level domains within two years. DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered last year. (Yesterday we discussed the workarounds coming into place until the US government signs the Internet's root zone.) DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil, and the Czech Republic. Two larger domains — .org operated by the Public Interest Registry and .gov operated by the US government — are deploying DNSSEC this year."

3 of 39 comments (clear)

  1. Re:erm... by thue · · Score: 5, Informative

    Because when released it will reduce the profit from their certificate signing business, as people can get end-to-end public key encryption just by updating their DNS entry.

  2. Re:are you sure this is such a good idea? by Timothy+Brownawell · · Score: 2, Informative

    I'd like to see some discussion around the relative merits of DNSSEC v. DNSCurve.

    With DNSSEC, it's the data that's authenticated. With DNSCurve, it appears to be the server. Does DNSCurve protect against a meddling cache, or does it require all queries to be processed by the authoritative server or a trustable cache?

    DNSCurve encrypts connections. This has per-byte overhead, plus per-connection overhead which can (mostly?) be made into per-peer overhead with caching. DNSSEC doesn't, so someone could potentially see what records you look up (and save themselves the trouble of having to look at which IP you connect to next, I suppose?).

    And probably much more...

  3. Re:Huh? by Timothy+Brownawell · · Score: 3, Informative

    The DNSSEC and https/SSL certificate systems are completely different.

    I mean, you *could* use https/SSL to get secure DNS via port 443 right now, all it would take would be a few lines in Apache. Now convince the rest of the world to follow your lead....

    DNSSEC (and DNSCurve) are only as good as the clients that adopt it.

    Huh?

    The idea is that instead of paying a CA to give you a SSL certificate, you generate your own and put the hash in a DNS record. With DNSSEC, this means that your SSL certificate is effectively signed by your DNSSEC key, with a chain going back to the keys for the root zone. This eliminates the need for CAs (unless you use the EV certs, that map to a real-world identity that browsers will usually show people), and even gets rid of the problem of bad signers that give out certs they shouldn't.