Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICANN and NIST Announce Plans To Sign the DNS Root

Posted by timothy on from the no-more-absolute-value dept.

jhutkd writes "On June 3rd, 2009, ICANN and NIST announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009. This is a huge step forward for the deployment of DNSSEC."

3 of 94 comments (clear)

  1. Re:VeriSign by Anonymous Coward · · Score: 3, Insightful

    what moron modded "You pay verisign (or another trusted CA) to vouch for your secure content." as informative?

    they vouch for the fact someone had a credit card once and they got paid.

  2. So what? by damn_registrars · · Score: 2, Insightful

    They can take all the measures they want to secure the root, if they keep letting unscrupulous registrars sell domains it all will be for naught anyways. Wake me up if they ever decide that for some reason they feel security and stability are suddenly more important than profit.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  3. Re:DNSCurve by Timothy+Brownawell · · Score: 2, Insightful

    I still think DNSCurve would have made more sense, http://dnscurve.org/dnssec.html

    DNSSEC certifies the data, while DNSCurve only certifies the connection between the DNS server and the resolver.

    With DNSSEC, you know that the DNS records you receive are correct.

    With DNSCurve, your ISP's caching resolver knows that it is talking to the proper DNS server. You do not know that you are talking to your ISP's resolver instead of an imposter, and you do not know if your ISP is forwarding the records accurately.

    DNSSEC can be used for interesting things like distributing public keys. DNSCurve cannot, because it still requires you to trust your ISP and your ISP's network. (Or alternatively it would require that shared caching resolvers not be used, which would cause a major increase in traffic to the authoritative servers.)