Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICANN and NIST Announce Plans To Sign the DNS Root

Posted by timothy on from the no-more-absolute-value dept.

jhutkd writes "On June 3rd, 2009, ICANN and NIST announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009. This is a huge step forward for the deployment of DNSSEC."

6 of 94 comments (clear)

  1. Re:VeriSign by Anonymous Coward · · Score: 5, Informative

    There are no certs, just signed DNS records. All DNS records which are published in a DNSSEC enabled zone (the root "." zone in this case) are signed with the public key of that zone. The public key of a delegated zone is just another record. There is nothing special about it which could justify an extra charge.

    The additional cost of installing and maintaining the DNSSEC system is incurred for the zone as a whole. There is no individual authentication overhead beyond what is already necessary to make sure that only the domain owner can change the delegation records of a domain.

  2. Re:VeriSign by Anonymous Coward · · Score: 5, Informative

    Wasn't VeriSign the one who set up the brain-dead system where now we all get to pay them (or a few connected competitors) for the privilege to share secure content with https?

    You can set up your own secure content with https. But why should the general public trust your certificate? You pay verisign (or another trusted CA) to vouch for your secure content.

    Without someone vouching for your certificate, there is no proof it's yours, and it's spoofable.

    My company has its own CA. It's pushed out to all company computers automatically by domain policy. Works great for internal company sites, but for public sites, we use signed certificates from a real CA.

    I hope we do that again for DNS servers!

    You got a better idea? Maybe governments or domain registrars would sign certs?

  3. Yeah, that'll help by QuantumG · · Score: 5, Informative

    The problem is that there are SSL cert providers who will happily hand over valid certs to anyone with a credit card, and browsers are configured to automatically trust these bozos. And the ones that are actually diligent in checking credentials will happily hand over username/password for web administration of the domain to anyone who knows the date of birth of the current registrant.

    --
    How we know is more important than what we know.
  4. Re:There is a curious lack of small DNSSEC resolve by spinkham · · Score: 5, Informative

    Windows 7 and Windows Server 2008 R2 have one built in, and Unbound is a smaller DNSSEC aware resolver for Unix like OSs.

    --
    Blessed are the pessimists, for they have made backups.
  5. ICANN? by InsertWittyNameHere · · Score: 5, Funny

    ICANN haz DNSSEC?

  6. the problem with securing DNS is the DNS is secure by wayne · · Score: 5, Interesting

    The big problem with DNSSEC, if widely used, is that it prevents forgery of DNS responses. ISPs and internet cafes will not like this, since that means they can no longer forget DNS replies to missing domains or to force people through registration pages. I can see a *LOT* of push-back from having end-users using DNSSEC.

    --
    SPF support for most open source mail servers can be found at libspf2.