Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Will Support DNSSEC In .com By 2011

Posted by kdawson on from the phish-while-you-may dept.

alphadogg writes "VeriSign has promised to deploy DNS Security Extensions, known as DNSSEC, across all of its top-level domains within two years. DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered last year. (Yesterday we discussed the workarounds coming into place until the US government signs the Internet's root zone.) DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil, and the Czech Republic. Two larger domains — .org operated by the Public Interest Registry and .gov operated by the US government — are deploying DNSSEC this year."

6 of 39 comments (clear)

  1. erm... by XanC · · Score: 4, Insightful

    What takes so long? Why not now?

    1. Re:erm... by winkydink · · Score: 5, Insightful

      They need time to figure out how to profit from the deployment.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    2. Re:erm... by thue · · Score: 5, Informative

      Because when released it will reduce the profit from their certificate signing business, as people can get end-to-end public key encryption just by updating their DNS entry.

    3. Re:erm... by Anonymous Coward · · Score: 5, Insightful

      Many reasons....

      The root is just the root...
      70 million domains to sign. Think you can just do that on your desktop in a couple of hours? It's going to take an infrastructure of machines to do this. That infrastructure itself is going to need to be secure. And reliable. And backed up. Securely. And with a geographical disaster recovery plan in place. ( A secure one ). And they need to ensure that their root servers ( A and J ) can handle DNSSEC too. Just to be clear, neither A nor J are a single server - you just don't handle more than 50 BILLION queries EVERY SINGLE DAY from a couple of boxes on a T1. VeriSign has a large number of distributed boxes that comprise each root server.

      That's just the technology - the easy part. The harder part comes with the business processes needed to support this. New domains will need to be signed. Employees are going to need to be able to do that somehow, but every employee that has access to the root key is a risk to that key Consider that if that key gets compromised the whole stack of cards will come tumbling down, thus requiring those 70M domains to be resigned with a new key. And that new key's cert will need to be published downstream etc. So somehow VeriSign has to come up with business processes that allow new domains to be signed without the root key being compromised. Processes that allow the infrastructure to be administrated and monitored without the root key being compromised etc.

      If you're not getting the picture yet, this is really not a trivial exercise.

      The good news is that VeriSign has experience with these kinds of problems - running the CAs that sign >90% of the World's PKI certificates has given them that.

      Before the usual VeriSign hating slashdot crowd get in here... it's my opinion that VeriSign do a great job with DNS. I can't think of any other service that I pay for that has given me 100% uptime this year alone, let alone for a number of years.

      Most corporations strive for five 9s uptime. That allows 5 minutes and 15.35 seconds of downtime in a (non-leap) year. My electricity, water, gas, oil and ISP have all had outages longer than that in the past year, and most of them have outages every year, and yet I pay them a damn sight more than the $7 a year that VeriSign gets for serving my DNS records.

      Disclaimer... I'm an ex-employee and small-time stock-holder of VRSN.

  2. DJB causes his own problem here by DragonHawk · · Score: 3, Insightful

    [citation needed] Or maybe this is "weasel words". In any case, "Says who?"

    Everybody *but* DJB. And since DJB has apparently pissed off just about the entire rest of the population of the planet at this point, his pet-project ideas have just about zero chance of being adopted widespread. So, in a very real sense, DNSCurve is by definition the least-good way to secure DNS, because it will never see real adoption.

    Whether or not DNSCurve has any good ideas or not doesn't matter, because DJB has burned every bridge to his own little island. And it turns out that a network that doesn't connect to anything isn't very interesting.

    --

    dragonhawk@iname.microsoft.com
    I do not like Microsoft. Remove them from my email address.
  3. Re:Huh? by Timothy+Brownawell · · Score: 3, Informative

    The DNSSEC and https/SSL certificate systems are completely different.

    I mean, you *could* use https/SSL to get secure DNS via port 443 right now, all it would take would be a few lines in Apache. Now convince the rest of the world to follow your lead....

    DNSSEC (and DNSCurve) are only as good as the clients that adopt it.

    Huh?

    The idea is that instead of paying a CA to give you a SSL certificate, you generate your own and put the hash in a DNS record. With DNSSEC, this means that your SSL certificate is effectively signed by your DNSSEC key, with a chain going back to the keys for the root zone. This eliminates the need for CAs (unless you use the EV certs, that map to a real-world identity that browsers will usually show people), and even gets rid of the problem of bad signers that give out certs they shouldn't.