Slashdot Mirror

← Back to Stories (view on slashdot.org)

Educause Announces Plans To Sign .edu TLD With DNSSEC

Posted by timothy on from the seeping-in-there dept.

jhutkd writes "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010. This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments. Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy."

14 of 49 comments (clear)

  1. Good FA by mcgrew · · Score: 3, Informative

    Very informative and well written, kudos to the submitter. For those who don't want to RTFA and wonder what DNSSEC is (not all of us are computer nerds)

    Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process.

    --
    Free Martian Whores!
    1. Re:Good FA by nine-times · · Score: 4, Interesting

      One thing that I'm not clear on at all but would like to understand is, is there any chance that DNSSEC will let us get rid of SSL certificate authorities?

      Maybe that's a dumb question, but what I have in mind is this: if we can provide authenticated/signed pairing of DNS information to IP addresses, could we also put a SSL certificate into the mix and therefore know that the SSL cert is valid for that domain name? Wouldn't that at least give us SSL certs that verified the site was owned by the person who owned the domain, even if it didn't do any kind of "Extended validation" stuff?

    2. Re:Good FA by jhutkd · · Score: 3, Informative

      You've actually hit onto something that some people think is _very_ important:

      http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html

      By putting the fingerprint of your SSL cert in a DNS record, you could do something like what you are suggesting... ymmv

    3. Re:Good FA by Vellmont · · Score: 4, Informative

      Are you aware that DNS has the ability to publish more than simply an IP address? Like say.. a key?

      If DNSSEC supplies a secure channel to a trusted authority (which it sounds like it does), then I see no reason why it can't replace the certificate authorities. Likely the biggest impediment to this is simply the time required for DNSSEC to be supported down to the individual machine level.

      --
      AccountKiller
    4. Re:Good FA by nine-times · · Score: 4, Interesting

      Yeah, I wasn't under the impression that getting rid of CAs was the purpose of DNSSEC, but it seemed like one possible side effect. Just to spell out my thoughts a bit more, when you say that DNSSEC guarantees that the DNS lookup returns the correct IP, I'm under the impression that "correct" is defined as "whatever the domain owner says is correct", i.e. it enables you to verify that whatever is in the DNS record is actually what the domain holder put in his DNS record.

      Now I'm not claiming to understand the intricacies of how DNSSEC works, but it seems to me that once you have a signature that is able to verify that information comes from a given domain owner, you probably have the infrastructure in place for passing other information comes from the domain holder, too. So even if DNSSEC can't do this right now, you've possibly laid the groundwork for someone to stick a public key into the DNS record for a given server. If you can verify that the public key given for a particular server is authentic, then that public key can be used to prevent a man-in-the-middle attack.

      I mean, ultimately what CAs are doing in most cases is verifying that a small bit of data, i.e. the public key for SSL encryption, is actually being provided by the domain that it's claiming to come from. If you can do this through your domain registrar and DNS servers, then CAs become unnecessary except for any extended validation of identity that you want to do.

      But this would be very important in my mind, because it might allow SSL to become essentially free in cases where extended validation isn't necessary.

    5. Re:Good FA by RalphSleigh · · Score: 4, Informative

      But along with signing your DNS records, you can sign a text record containing a hash of your webservers SSL cert, that way anyone who can verify your DNS records can also check that the SSL cert they are being provided with belongs to the owner of the DNS entries. (You know these are correct and have not been MITMed because they are signed by the previous level of DNS, up to the root zone which you have to acquire in some secure way.

      --
      Come as you are, do what you must, be who you will.
  2. Re:Hm. by sexconker · · Score: 5, Informative

    The itnernets is a freeway.
    Each top level domain is a lane on that freeway.
    The .edu lane on the freeway will soon be secured with DNSSEC.

    DNSSEC is basically a signature on all the freeway signs.

    school.edu - 5 miles

    becomes

    school.edu - 5 miles
    -Signed by school.edu

    This way those punks at pornschool.com can't put up their own fake freeway signs that say "school.edu - next exit" in an attempt to make you get off when you don't want to.

  3. Administratium by girlintraining · · Score: 3, Insightful

    Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy.

    Right. It's the administrative costs that are keeping it from being deployed. Sex.com sold for $14 million. I'd be willing to guess that the namespace of domains worth > $1,000 is totals several hundred million. Right now, the security to protect the aforementioned virtual properties is like a vault with a screen door out the back. It's a source of great internal amusement to me that in the real world our schools have some of the worst physical security, but soon they'll have some of the best digital security.

    --
    #fuckbeta #iamslashdot #dicemustdie
  4. Re:Hm. by localman57 · · Score: 5, Funny

    This way those punks at pornschool.com can't put up their own fake freeway signs that say "school.edu - next exit" in an attempt to make you get off when you don't want to.

    Best...Double-Entendre...Ever...

  5. Re:Hm. by morgan_greywolf · · Score: 4, Interesting

    Okay. Educause Motors Corp. makes a model called the EduCar that they will sell only to educational institutions, like college campuses or school districts. Earlier models didn't have locks or keys, but instead used a system whereby you had to show to your educational institution paperwork to the onboard camera before you could open the door. Once inside, you have push-button start. The new EduCar will feature secure keys and locks, but you still need to show your educational paperwork to get one.

    Other models, which require no educational paperwork, are available from a wide variety of manufacturers such as GoDaddy Motors, Network Solutions Motors, Register Motors, etc., will continue to sell their ComCars, OrgCars, NetCars, etc. without keys or locks.

    --
    My blog
  6. Re:Hm. by Hijacked+Public · · Score: 5, Funny

    It would be like if your car's PCV valve required a permissive signal from the EGR valve via CAN-BUS linkage to MPI and DOHC. The ECR module would then TBI the MPG and various other RWHPs. Failing that the EFI unit ATF AC unit BTDC more of the CCs than CUINs. As long as your crank was CCW and you had COPI you would be good to go. Unless the CTVS was broken. In which case both your FWD and 4WD was unusable. You'd need to measure MAP and calibrate the VSS or you'll go WOT, and with NOS then you will likely exceed the allowable RPMs.

    DOHV. OD. LED taillights. HO engine. blah blah blah.

    --
    "Sacrifice for the good of The State" - The State
  7. .bnk? by RiotingPacifist · · Score: 3, Insightful

    Can't they just use DNSSEC for banks (optionally give a tld for anything financial)

    --
    IranAir Flight 655 never forget!
  8. Re:Why We Need It by jhutkd · · Score: 4, Informative

    Uhh... .org has already signed. .se (Sweden) has been signed for years.

    If you want to get a list of all signed domains, check out:

    http://secspider.cs.ucla.edu/

    Look up any TLDs you want there.

  9. How little people actually care ... by BitZtream · · Score: 3, Insightful

    This is offtopic, but important.

    Look at how few people comment on this article, which is a very important step forward for the Internet, yet there are 3 to 4 times more comments on the article about running Linux on a Kindle.

    Since Slashdot is basically a representation of the OSS and technical worlds view on things, its very sad that people who are supposed to be intelligent, thoughtful creatures get excited over something as pointless as running Linux on Kindle, but care so little about something that is important to the Internet as a whole.

    I realize that most people here are Linux fanboys (and this is one time I'm not saying it to be insulting, I'm a FreeBSD fanboy for instance, its okay as long as you are rational about it) so that means Linux related topics are going to get more coverage here, but ... 3 to 4 times more people care about running Linux on a device like the Kindle than DNSSEC for a TLD ... thats just freaking sad to me :(

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager