Slashdot Mirror

← Back to Stories (view on slashdot.org)

.ORG Zone Signed With DNSSEC

Posted by kdawson on from the baby-steps-to-security dept.

lothos and several other readers let us know that the Public Interest Registry has announced the key-signing key to validate the signatures on the ORG zone. A few more details are on the PIR DNSSEC page. PC World interviewed PIR CEO Alexa Raad and writes: "On June 2, PIR will announce that it is signing the .org domain with NSEC3 and that it has begun testing DNSSEC with a handful of registrars using first fake and then real .org names. PIR plans to keep expanding its testing over the next few months until the registry is ready to support DNSSEC for all .org domain name operators. Raad says she expects full-blown DNSSEC deployment on the .org domain in 2010."

25 of 89 comments (clear)

  1. djb by Gothmolly · · Score: 2, Informative

    We need a 'djb' tag. Dan's been talking about, and working on this kind of thing for years.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:djb by MikeBabcock · · Score: 2, Interesting

      Maybe you should actually read up on why Dan's right or wrong about DNSSEC and make a point instead of harping on about his attitude issues.

      He may have a god complex, but he's rarely wrong, so you might want to prove him wrong before you assume you have the right to judge his attitude.

      --
      - Michael T. Babcock (Yes, I blog)
  2. Assumes a centralized DNS system by BadAnalogyGuy · · Score: 3, Insightful

    If you believe that the U.S. will control the DNS system in perpetuity, then this seems like a fine idea.

    1. Re:Assumes a centralized DNS system by Anonymous Coward · · Score: 2, Informative

      The DNS can be "forked" by installing and using different root servers and DNSSEC doesn't change that. The alternative root servers simply have to sign all their records with the key of the alternative root and users have to replace the official public root key with the public key of the alternative root in their resolver configurations.

    2. Re:Assumes a centralized DNS system by morgan_greywolf · · Score: 5, Insightful

      DNS is a centralized system, no matter how you look at it. It may be politically correct for the entire population of Europe to bash the U.S. these days, but my response is this: if you think you can do better, go for it.

      --
      My blog
    3. Re:Assumes a centralized DNS system by Anonymous Coward · · Score: 5, Insightful

      That is a dangerous confrontation because much on the internet relies on an unambiguous view of the domain namespace. There is no technical reason why Europe (or Asia for that matter) couldn't establish an alternative root tomorrow. It would be better for the net as a whole to solve the conflict amicably, but if the US sticks to this "bring it on" attitude, we might well see a DNS split.

    4. Re:Assumes a centralized DNS system by morgan_greywolf · · Score: 2, Insightful

      I don't think it will happen for the very same reasons you state.

      If it comes down to it, the only real way I see to fix this is whole mess amicably is to replace DNS with something that isn't centralized.

      --
      My blog
    5. Re:Assumes a centralized DNS system by collinstocks · · Score: 2, Funny

      I completely agree that we need something not centralized. In fact, I'm actually in the planning stages of an entire decentralized system to possibly replace the web. I know, I know...ambitious goals. But I am convinced that the concept could work.

      The idea is essentially to create a decentralized web of trust, and have nodes on the network find each other by asking other nodes. One of the advantages is that it abstracts the underlying IP addresses that are used to identify network devices into something that can be extensible once IP addresses become infeasible (for example, in mobile devices whose subnets keep changing).

    6. Re:Assumes a centralized DNS system by vivaoporto · · Score: 3, Insightful

      Although in a smaller scale, it already happened once: The Great IRC split. Once a single more or less decentralized network (just like the web now), disagreements on the policies lead to a transatlantic split. Hope that never happens on the WWW.

    7. Re:Assumes a centralized DNS system by QuantumRiff · · Score: 2, Funny

      If you were a real geek, you would just memorize the proper IPv6 addresses..

      --

      What are we going to do tonight Brain?
    8. Re:Assumes a centralized DNS system by Kjella · · Score: 2, Interesting

      I don't think it will happen for the very same reasons you state.

      It's not as difficult as you think:
      1. Start a new root
      2. Root has your domains, but redirects all old domains to the US-controlled system
      3. Require ISPs to point to the new root (it's the government, make it tue law)
      4. Set a grace period for old domains to register with you
      5. Make the cybersquatting reesolution process hell if you don't use the grace period
      6. Turn off the lights on the old domains, alias them to the new ones

      So you own google.com, EU starts with .comx - better register it or some porn site will take over google.comx until you can get it back. Repeat BS process a few times like the digital TV conversions by offering extensions and saying this time we're REALLY doing it. When you have enough on board, turn off the lights on the old .com, have it resolve same as .comx site. No "black net" sudden transition.

      --
      Live today, because you never know what tomorrow brings
  3. DNSSEC and domains and subdomains? by Midnight+Thunder · · Score: 3, Interesting

    So what does this mean for domains in the .org realm? Should people be adding DNSSEC to their own domains, and if so what sort of cost should we expect? Also, how does software on a PC validate that a domain is signed?

    --
    Jumpstart the tartan drive.
    1. Re:DNSSEC and domains and subdomains? by Anonymous Coward · · Score: 5, Informative

      DNSSEC is a public key system in which each nameserver signs the records for which it is authoritative. Encryption is not used, to avoid a per-request overhead. A resolver can validate signed records because the public keys of delegated zones are records delivered by higher level servers, starting at the root servers. The .org domain delivers signed records now, so nobody can fraudulently claim to be authoritative for .org in communications with a validating resolver anymore. They can still claim to be authoritative for your domain under .org, unless you also sign your records and add the public key to the delegation records for your domain.

    2. Re:DNSSEC and domains and subdomains? by Kadin2048 · · Score: 3, Informative

      You do, but the encryption part is relatively easy; it's the authentication that's hard. Right now, Verisign et al charge megabucks for "Extended Validation" certificates (mostly to banks, insurance companies, etc.) whose only advantage over a regular "el cheapo" SSL cert is the supposed additional validation.

      Securing DNS would let you use it for validation, rather than the SSL certificate trust chain. So the E.V. certs would really not be necessary anymore.

      Actually I think securing DNS would make MITMs a lot harder (although I wouldn't go so far as to say 'impossible') because most current MITM attacks rely on DNS poisoning.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    3. Re:DNSSEC and domains and subdomains? by Nevyn · · Score: 2, Interesting

      Even without a Cert, you will know that you are at YOUR bank's website, because you will be able to walk up the tree with signed records.

      No, you would know that you are at "yourbank.com" you wouldn't know that it's "YOUR bank's website" ... which is the problem the new super certs. are trying to address.

      --
      ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B
    4. Re:DNSSEC and domains and subdomains? by geniusj · · Score: 2, Insightful

      DNS poisoning is not the only way to hijack a website. It is also possible to do such things via unauthorized BGP advertisements to an insecure carrier. If you do that, the DNS is irrelevant, you've just hijacked the IP according to some portion of the internet.

  4. Yes but how do I implement it... by Anonymous Coward · · Score: 5, Interesting

    Every time some organisation wants to push some new system or regime they drop into hype overdrive. There are emails, announcements, articles, PDFs a plenty, but try as you might, the actual information you need to enable you to implement stays carefully hidden from view. This isn't about security; if it was the technical details of configuration and operation would be at the top of the list of files to view. It is about some organisation seeking praise and glory for doing something or other.

    1. Re:Yes but how do I implement it... by Tony+Hoyle · · Score: 2, Informative

      It's pretty hard to implement right now.. a bunch of shell scripts and editing with vi, and even then I've never got it to work. One key thing is it's incompatible with dynamic DNS so you can only use it on static zones.

      The other thing is for it to work it has to be signed by a parent zone.. or in other words, more excuses for verisign to charge $$$ per year for doing almost nothing. This, of course, is why it's being pushed so much.. there's money in it.

    2. Re:Yes but how do I implement it... by Anonymous Coward · · Score: 3, Insightful

      The .org zone is signed now. That means that the records which delegate authority of your domain to your domain name server are signed. Verisign's work is done, so to speak. All that is left is for you to sign your records as well and add your public key to the delegation records of your zone. That's just another record with no additional authentication requirements, so it would come as a big surprise if your registrar charged you extra for that. Of course, with people like you equating cryptography to $$$, they might go for it just because their customers expect to pay.

    3. Re:Yes but how do I implement it... by kv9 · · Score: 3, Informative

      Yes but how do I implement it...

      fast and easy.

      --
      Stop Computers/Cars Analogies on S
  5. Americans by dandart · · Score: 3, Funny

    Americans don't own the Internet! They just own all the Internet names! It's a big difference!

  6. What should domain owners do? by GlobalEcho · · Score: 2, Interesting

    As the owner of a .org domain (used for a few websites and email) is there anything I ought to be doing based on this? I'm registered at Dotster, hosted elsewhere (Dreamhost).

  7. Why DNSSEC? by Moxon · · Score: 2, Interesting

    I've read about what DNSSEC does, but I haven't found is an actual reason why anyone should care. Is there one?

    Seems to me it kinda-sorta solves a few non-problems, and any actual problems it might touch upon have been solved better by SSL certificates years ago. Is it just that ISC is envious of the SSL cert sellers, and want to create a new action they can have the largest piece of?

    1. Re:Why DNSSEC? by Todd+Knarr · · Score: 5, Insightful

      Basically, DNSSEC lets your computer verify that the DNS responses it's getting back are really identical to what's in the authoritative zone. If someone injects bogus DNS records into your nameserver or floods you with bogus responses to your query hoping to get one of them accepted, they won't have the private key for that domain so they won't be able to create a valid signature for their records and your DNS client will reject the bogus records.

      That, BTW, is why DNSSEC has to start at the top to work. If I have DNSSEC for silverglass.org but not at the org level, then someone can inject bogus key records at the org level that'll let them successfully forge signatures for silverglass.org. To prevent that the root nameservers have to sign the org data (including the keys for domains in .org) so I can verify them using local copies of the root public keys (similar to the way we have local copies of the root nameserver names/addresses).

    2. Re:Why DNSSEC? by jhutkd · · Score: 3, Informative

      DNSSEC address issues that include the Kaminsky cache poisoning attack from last summer. The idea of DNSSEC is that when you get a DNS record back, you can use crypto to verify that it the actual record (such as the IP address(es) for a web site) served by a domain.

      If you're seriously interested in _why_ someone should care about DNSSEC, check out this 4 minute tech-talk:
            http://www.youtube.com/watch?v=Yt-oJTj0j0o