Slashdot Mirror

← Back to Stories (view on slashdot.org)

Educause Announces Plans To Sign .edu TLD With DNSSEC

Posted by timothy on from the seeping-in-there dept.

jhutkd writes "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010. This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments. Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy."

4 of 49 comments (clear)

  1. Re:Hm. by sexconker · · Score: 5, Informative

    The itnernets is a freeway.
    Each top level domain is a lane on that freeway.
    The .edu lane on the freeway will soon be secured with DNSSEC.

    DNSSEC is basically a signature on all the freeway signs.

    school.edu - 5 miles

    becomes

    school.edu - 5 miles
    -Signed by school.edu

    This way those punks at pornschool.com can't put up their own fake freeway signs that say "school.edu - next exit" in an attempt to make you get off when you don't want to.

  2. Re:Why We Need It by jhutkd · · Score: 4, Informative

    Uhh... .org has already signed. .se (Sweden) has been signed for years.

    If you want to get a list of all signed domains, check out:

    http://secspider.cs.ucla.edu/

    Look up any TLDs you want there.

  3. Re:Good FA by Vellmont · · Score: 4, Informative

    Are you aware that DNS has the ability to publish more than simply an IP address? Like say.. a key?

    If DNSSEC supplies a secure channel to a trusted authority (which it sounds like it does), then I see no reason why it can't replace the certificate authorities. Likely the biggest impediment to this is simply the time required for DNSSEC to be supported down to the individual machine level.

    --
    AccountKiller
  4. Re:Good FA by RalphSleigh · · Score: 4, Informative

    But along with signing your DNS records, you can sign a text record containing a hash of your webservers SSL cert, that way anyone who can verify your DNS records can also check that the SSL cert they are being provided with belongs to the owner of the DNS entries. (You know these are correct and have not been MITMed because they are signed by the previous level of DNS, up to the root zone which you have to acquire in some secure way.

    --
    Come as you are, do what you must, be who you will.