Educause Announces Plans To Sign .edu TLD With DNSSEC

jhutkd writes "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010. This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments. Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy."

Good FA

[mcgrew]

Very informative and well written, kudos to the submitter. For those who don't want to RTFA and wonder what DNSSEC is (not all of us are computer nerds)

Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process.

Re:Good FA

[jhutkd]

You've actually hit onto something that some people think is _very_ important:

http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html

By putting the fingerprint of your SSL cert in a DNS record, you could do something like what you are suggesting... ymmv

Re:Good FA

No, DNSSEC guarantees (via digital signature) that the DNS lookup for www.mycompany.com returns the correct IP address

SSL certs will guarantee that your browser's connection to that IP address (via https) is not being hijacked by a MTM adversary

Two very different attack vectors being protected there

And if you think Verisign, Twarte, et al, are going to give up that lucrative business, you so crazy

Re:Good FA

[Vellmont]

Are you aware that DNS has the ability to publish more than simply an IP address? Like say.. a key?

If DNSSEC supplies a secure channel to a trusted authority (which it sounds like it does), then I see no reason why it can't replace the certificate authorities. Likely the biggest impediment to this is simply the time required for DNSSEC to be supported down to the individual machine level.

Re:Good FA

[RalphSleigh]

But along with signing your DNS records, you can sign a text record containing a hash of your webservers SSL cert, that way anyone who can verify your DNS records can also check that the SSL cert they are being provided with belongs to the owner of the DNS entries. (You know these are correct and have not been MITMed because they are signed by the previous level of DNS, up to the root zone which you have to acquire in some secure way.

Re:Hm.

[sexconker]

The itnernets is a freeway.
Each top level domain is a lane on that freeway.
The .edu lane on the freeway will soon be secured with DNSSEC.

DNSSEC is basically a signature on all the freeway signs.

school.edu - 5 miles

becomes

school.edu - 5 miles
-Signed by school.edu

This way those punks at pornschool.com can't put up their own fake freeway signs that say "school.edu - next exit" in an attempt to make you get off when you don't want to.

Re:Why We Need It

[jhutkd]

Uhh... .org has already signed. .se (Sweden) has been signed for years.

If you want to get a list of all signed domains, check out:

http://secspider.cs.ucla.edu/

Look up any TLDs you want there.