Slashdot Mirror

← Back to Stories (view on slashdot.org)

.ORG Zone Signed With DNSSEC

Posted by kdawson on from the baby-steps-to-security dept.

lothos and several other readers let us know that the Public Interest Registry has announced the key-signing key to validate the signatures on the ORG zone. A few more details are on the PIR DNSSEC page. PC World interviewed PIR CEO Alexa Raad and writes: "On June 2, PIR will announce that it is signing the .org domain with NSEC3 and that it has begun testing DNSSEC with a handful of registrars using first fake and then real .org names. PIR plans to keep expanding its testing over the next few months until the registry is ready to support DNSSEC for all .org domain name operators. Raad says she expects full-blown DNSSEC deployment on the .org domain in 2010."

5 of 89 comments (clear)

  1. Re:DNSSEC and domains and subdomains? by Anonymous Coward · · Score: 5, Informative

    DNSSEC is a public key system in which each nameserver signs the records for which it is authoritative. Encryption is not used, to avoid a per-request overhead. A resolver can validate signed records because the public keys of delegated zones are records delivered by higher level servers, starting at the root servers. The .org domain delivers signed records now, so nobody can fraudulently claim to be authoritative for .org in communications with a validating resolver anymore. They can still claim to be authoritative for your domain under .org, unless you also sign your records and add the public key to the delegation records for your domain.

  2. Yes but how do I implement it... by Anonymous Coward · · Score: 5, Interesting

    Every time some organisation wants to push some new system or regime they drop into hype overdrive. There are emails, announcements, articles, PDFs a plenty, but try as you might, the actual information you need to enable you to implement stays carefully hidden from view. This isn't about security; if it was the technical details of configuration and operation would be at the top of the list of files to view. It is about some organisation seeking praise and glory for doing something or other.

  3. Re:Assumes a centralized DNS system by morgan_greywolf · · Score: 5, Insightful

    DNS is a centralized system, no matter how you look at it. It may be politically correct for the entire population of Europe to bash the U.S. these days, but my response is this: if you think you can do better, go for it.

    --
    My blog
  4. Re:Assumes a centralized DNS system by Anonymous Coward · · Score: 5, Insightful

    That is a dangerous confrontation because much on the internet relies on an unambiguous view of the domain namespace. There is no technical reason why Europe (or Asia for that matter) couldn't establish an alternative root tomorrow. It would be better for the net as a whole to solve the conflict amicably, but if the US sticks to this "bring it on" attitude, we might well see a DNS split.

  5. Re:Why DNSSEC? by Todd+Knarr · · Score: 5, Insightful

    Basically, DNSSEC lets your computer verify that the DNS responses it's getting back are really identical to what's in the authoritative zone. If someone injects bogus DNS records into your nameserver or floods you with bogus responses to your query hoping to get one of them accepted, they won't have the private key for that domain so they won't be able to create a valid signature for their records and your DNS client will reject the bogus records.

    That, BTW, is why DNSSEC has to start at the top to work. If I have DNSSEC for silverglass.org but not at the org level, then someone can inject bogus key records at the org level that'll let them successfully forge signatures for silverglass.org. To prevent that the root nameservers have to sign the org data (including the keys for domains in .org) so I can verify them using local copies of the root public keys (similar to the way we have local copies of the root nameserver names/addresses).