Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICANN and NIST Announce Plans To Sign the DNS Root

Posted by timothy on from the no-more-absolute-value dept.

jhutkd writes "On June 3rd, 2009, ICANN and NIST announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009. This is a huge step forward for the deployment of DNSSEC."

9 of 94 comments (clear)

  1. There is a curious lack of small DNSSEC resolvers by Anonymous Coward · · Score: 0, Interesting

    ...or am I just not seeing the forest for the trees? There's BIND, but that seems a little excessive for a personal recursive resolver. The small ones don't seem to even have DNSSEC support on the short term agenda. What to do?

  2. VeriSign by drDugan · · Score: 4, Interesting

    Wasn't VeriSign the one who set up the brain-dead system where now we all get to pay them (or a few connected competitors) for the privilege to share secure content with https?

    I hope we do that again for DNS servers!

    </snark>

    But seriously, what's the busines model for maintaining the certs?

    1. Re:VeriSign by Timothy+Brownawell · · Score: 4, Interesting

      they vouch for the fact someone had a credit card once and they got paid.

      The processes that CAs go through before signing a certificate certainly should be a lot stronger, but the idea of a trusted certificate authority is still valid.

      And some CAs are diligent...

      The basic idea is valid, but the implementation sucks (and can probably only be made to not suck in a closed environment). Some CAs being diligent isn't enough, they all (well, all the ones trusted by any major browser) have to be diligent for the system to work at all. My choosing the best CA out there doesn't matter a bit, because they can't do anything to stop the worst from handing a phisher a cert for my domain.

    2. Re:VeriSign by Anonymous Coward · · Score: 1, Interesting

      I have an idea! We could sign the root with DNSSEC, then we wouldn't have any of those problems. Now, I wonder why no one else has thought of that.

      Oh, wait...

    3. Re:VeriSign by cdhgee · · Score: 2, Interesting

      You forgot your opening tag :-P

  3. DNSCurve by Helios1182 · · Score: 2, Interesting

    I still think DNSCurve would have made more sense, http://dnscurve.org/dnssec.html

  4. the problem with securing DNS is the DNS is secure by wayne · · Score: 5, Interesting

    The big problem with DNSSEC, if widely used, is that it prevents forgery of DNS responses. ISPs and internet cafes will not like this, since that means they can no longer forget DNS replies to missing domains or to force people through registration pages. I can see a *LOT* of push-back from having end-users using DNSSEC.

    --
    SPF support for most open source mail servers can be found at libspf2.
  5. Who holds the master key? by karl.auerbach · · Score: 4, Interesting

    Who will be the person who gets to hold the master crypto keys used to sign the root zone?

    Somebody, somewhere, has to do this. Who?

  6. Re:Yeah, that'll help by AnyoneEB · · Score: 3, Interesting

    If DNS is trusted -- that is, all data a client receives upon querying a domain's DNS record is trusted to be fully controlled by the owner of that domain -- then, theoretically, public keys could be stored there. That means that instead of getting an untrusted certificate from an HTTPS server which the user's browser has to examine for a signature from a trusted authority, the HTTPS server can simply say, "Hey, of course it's real: the fingerprint matches the one in my DNS record." without any external authority required (other than the one implementing DNSSEC, of course). That means once DNSSEC is implemented for the root and a site's top-level domain, the only part that needs to be trusted is the public keys of DNS root.

    That said, I have yet to see an implementation -- or even protocol specification -- of such a protocol. Does one exist or is this purely theoretical at this point?

    --
    Centralization breaks the internet.