.ORG Zone Signed With DNSSEC

lothos and several other readers let us know that the Public Interest Registry has announced the key-signing key to validate the signatures on the ORG zone. A few more details are on the PIR DNSSEC page. PC World interviewed PIR CEO Alexa Raad and writes: "On June 2, PIR will announce that it is signing the .org domain with NSEC3 and that it has begun testing DNSSEC with a handful of registrars using first fake and then real .org names. PIR plans to keep expanding its testing over the next few months until the registry is ready to support DNSSEC for all .org domain name operators. Raad says she expects full-blown DNSSEC deployment on the .org domain in 2010."

Assumes a centralized DNS system

[BadAnalogyGuy]

If you believe that the U.S. will control the DNS system in perpetuity, then this seems like a fine idea.

Re:Assumes a centralized DNS system

[morgan_greywolf]

DNS is a centralized system, no matter how you look at it. It may be politically correct for the entire population of Europe to bash the U.S. these days, but my response is this: if you think you can do better, go for it.

Re:Assumes a centralized DNS system

That is a dangerous confrontation because much on the internet relies on an unambiguous view of the domain namespace. There is no technical reason why Europe (or Asia for that matter) couldn't establish an alternative root tomorrow. It would be better for the net as a whole to solve the conflict amicably, but if the US sticks to this "bring it on" attitude, we might well see a DNS split.

Re:Assumes a centralized DNS system

[morgan_greywolf]

I don't think it will happen for the very same reasons you state.

If it comes down to it, the only real way I see to fix this is whole mess amicably is to replace DNS with something that isn't centralized.

Re:Assumes a centralized DNS system

[vivaoporto]

Although in a smaller scale, it already happened once: The Great IRC split. Once a single more or less decentralized network (just like the web now), disagreements on the policies lead to a transatlantic split. Hope that never happens on the WWW.

Re:Yes but how do I implement it...

The .org zone is signed now. That means that the records which delegate authority of your domain to your domain name server are signed. Verisign's work is done, so to speak. All that is left is for you to sign your records as well and add your public key to the delegation records of your zone. That's just another record with no additional authentication requirements, so it would come as a big surprise if your registrar charged you extra for that. Of course, with people like you equating cryptography to $$$, they might go for it just because their customers expect to pay.

Re:Why DNSSEC?

[Todd+Knarr]

Basically, DNSSEC lets your computer verify that the DNS responses it's getting back are really identical to what's in the authoritative zone. If someone injects bogus DNS records into your nameserver or floods you with bogus responses to your query hoping to get one of them accepted, they won't have the private key for that domain so they won't be able to create a valid signature for their records and your DNS client will reject the bogus records.

That, BTW, is why DNSSEC has to start at the top to work. If I have DNSSEC for silverglass.org but not at the org level, then someone can inject bogus key records at the org level that'll let them successfully forge signatures for silverglass.org. To prevent that the root nameservers have to sign the org data (including the keys for domains in .org) so I can verify them using local copies of the root public keys (similar to the way we have local copies of the root nameserver names/addresses).

Re:DNSSEC and domains and subdomains?

[geniusj]

DNS poisoning is not the only way to hijack a website. It is also possible to do such things via unauthorized BGP advertisements to an insecure carrier. If you do that, the DNS is irrelevant, you've just hijacked the IP according to some portion of the internet.