Slashdot Mirror
Educause Announces Plans To Sign .edu TLD With DNSSEC
jhutkd writes "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010.
This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments. Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy."
Okay. Educause Motors Corp. makes a model called the EduCar that they will sell only to educational institutions, like college campuses or school districts. Earlier models didn't have locks or keys, but instead used a system whereby you had to show to your educational institution paperwork to the onboard camera before you could open the door. Once inside, you have push-button start. The new EduCar will feature secure keys and locks, but you still need to show your educational paperwork to get one.
Other models, which require no educational paperwork, are available from a wide variety of manufacturers such as GoDaddy Motors, Network Solutions Motors, Register Motors, etc., will continue to sell their ComCars, OrgCars, NetCars, etc. without keys or locks.
My blog
One thing that I'm not clear on at all but would like to understand is, is there any chance that DNSSEC will let us get rid of SSL certificate authorities?
Maybe that's a dumb question, but what I have in mind is this: if we can provide authenticated/signed pairing of DNS information to IP addresses, could we also put a SSL certificate into the mix and therefore know that the SSL cert is valid for that domain name? Wouldn't that at least give us SSL certs that verified the site was owned by the person who owned the domain, even if it didn't do any kind of "Extended validation" stuff?
Yeah, I wasn't under the impression that getting rid of CAs was the purpose of DNSSEC, but it seemed like one possible side effect. Just to spell out my thoughts a bit more, when you say that DNSSEC guarantees that the DNS lookup returns the correct IP, I'm under the impression that "correct" is defined as "whatever the domain owner says is correct", i.e. it enables you to verify that whatever is in the DNS record is actually what the domain holder put in his DNS record.
Now I'm not claiming to understand the intricacies of how DNSSEC works, but it seems to me that once you have a signature that is able to verify that information comes from a given domain owner, you probably have the infrastructure in place for passing other information comes from the domain holder, too. So even if DNSSEC can't do this right now, you've possibly laid the groundwork for someone to stick a public key into the DNS record for a given server. If you can verify that the public key given for a particular server is authentic, then that public key can be used to prevent a man-in-the-middle attack.
I mean, ultimately what CAs are doing in most cases is verifying that a small bit of data, i.e. the public key for SSL encryption, is actually being provided by the domain that it's claiming to come from. If you can do this through your domain registrar and DNS servers, then CAs become unnecessary except for any extended validation of identity that you want to do.
But this would be very important in my mind, because it might allow SSL to become essentially free in cases where extended validation isn't necessary.
Like GP said.
If you think Verisign is going to give up that lucrative business, you are crazy.
1) They don't have a choice in the matter.
2) This is probably why they're pushing "Extended Validation" certs now.