Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dot-Org TLD Signed For DNSSEC

Posted by timothy on from the not-passing-on-costs-is-a-neat-trick dept.

graychase writes "A major milestone is reached as the first major top-level domain (.org) is now secured with DNSSEC. The expense to .org for implementing DNSSEC on its infrastructure and operations has not been a small one. While specific figures as to the cost of DNSSEC implementation haven't been released, Afilias, which is the technical operator of the .org registry, told InternetNews.com in 2009 that the DNSSEC implementation would be a multi-million-dollar effort. The cost isn't going to be passed on by .org to domain registrars. The move toward securing the .org registry with DNS security started in September 2008, following the Kaminsky DNS flaw disclosure."

23 of 58 comments (clear)

  1. .org first over .com ?? by capnchicken · · Score: 2, Interesting

    Seems odd, too many .com's perhaps?

    --
    A libertarian shat on my carpet once. Claimed the free market would sort it out. -Ford Prefect(8777)
    1. Re:.org first over .com ?? by fotbr · · Score: 4, Informative

      More likely simply that different companies/organizations are responsible for .org vs .com vs .net vs .whatever, and each of those had different plans (or no plans) and acted on them at various speeds.

    2. Re:.org first over .com ?? by penguin359 · · Score: 3, Informative

      Size does play some part in it. There are a number of smaller two-letter country code TLDs that were signed before .ORG as well as the fact that .GOV also beat .ORG to being signed with .GOV being signed in March of '09 and .ORG being signed since June of '09. I think the big news is that .ORG is now allowing regular domain owners to submit their keys into the .ORG database. VeriSign who runs both .COM and .NET plans to first sign the smaller .NET which is still larger than .ORG. before finally tackling .COM.

    3. Re:.org first over .com ?? by penguin359 · · Score: 2, Informative

      Actually, they've announced the date to now be July 15, 2010. http://www.root-dnssec.org/

  2. There will be a lot more TCP (and IPv6) queries by Anonymous Coward · · Score: 4, Informative

    Because of the size of the new DNS Resource Records, notably the RRSIG and DNSKEY RRs, and partly because of the (perhaps temporarily) short TTL of one day, there will be a lot more TCP queries because of the size limit on UDP ones. The .ORG nameservers are also IPv6ified, and there is even less space in UDPv6 queries, so hosts that do not exclusively or preferentially make DNS queries in IPv4 will now make TCPv6 queries. These are likely to be slower than UDPv4 queries before the signing and v6ification, and the UDPv6 queries before the signing.

    Scaling is helped by using anycast IP and IPv6 addresses, but the downside is that a routing flap that occurs any time after the first TCP/TCPv6 SYN from a client will cause a client to have to requery because of an RST fired back by the newly-closest anycast nameserver, or wait on a full TCP timeout (and then probably still see the RST) depending on the timing. (The worst case is probably having the final FIN segment being eaten by Shub-Internet or someone trying to do a devious (and probably pretty local in scope) denial-of-service consuming resources on possibly the client and two servers).

    In short, this is not a win for performance, and it will be a good idea to use long TTLs in the zone itself (and on 2nd level nameservers) once it appears safe to do so.

    1. Re:There will be a lot more TCP (and IPv6) queries by Dragoniz3r · · Score: 2, Informative

      It was never meant to be a win for performance o.O Of course it's going to be slower. The cryptographic checks alone will make it slower. It's intended to prevent DNS hijacking attacks.

    2. Re:There will be a lot more TCP (and IPv6) queries by iburrell · · Score: 3, Informative

      DNSSEC requires EDNS. EDNS allows for UDP packets larger than the original 512-byte limit of DNS over UDP. There could be problems with fragmented packets which are larger than the MTU. Some experiments show that responses with DNSSEC and IPv6 are larger than 512-bytes but smaller than typical MTU of 1500 bytes.

      There are some old firewall equipment that mistakenly prohibits DNS packets longer 512 bytes over UDP but those have caused problems for a while.

    3. Re:There will be a lot more TCP (and IPv6) queries by penguin359 · · Score: 2, Interesting

      The DNS extension called EDNS0 allows larger UDP DNS queries so that TCP can be avoided. The size for UDP queries is now at 4096 bytes from the 512 byte limit without EDNS0. A lot of the preparation going into DNSSEC has been testing for resolvers with broken EDNS0 support. I find that the vast majority of my DNS queries with DNSSEC enabled are still successfully sent as UDP with EDNS0 currently.

  3. Re:Browsers by 6031769 · · Score: 3, Informative

    Browsers? They shouldn't care about DNSSEC either way, all of that should be handled by the local resolver. To be fair I'm presuming here that you mean web browsers as opposed to say DNS browsers.

    --
    Burns: We're building a casino!
    McAllister: Arrr. Give me 5 minutes.
  4. As an end-user, is there some way to tell? by JSBiff · · Score: 3, Interesting

    As an end-user, is there some way for me to tell if a domain has been authenticated along the whole chain by DNSSEC? Do any of the web-browsers, for example, include DNSSEC support, to show that a domain has been verified? Or, is DNSSEC only a server-to-server tech, but doesn't extend to end users? If it does extend to the end-user computer, can I use DNSSEC on an un-trusted network, to connect securely to my ISP's DNS Server (or google dns, or OpenDNS, etc), to make sure I'm getting back the correct DNS info (I suppose the 'real' answer for such a situation, at least currently, is a VPN, although some organizations [like where I work] have VPN's that only tunnel traffic to the secured network, and won't tunnel any other traffic, so such a VPN doesn't protect you when visiting any other sites/hosts on the internet).

    I think it would be nice, if I don't have access to a real VPN connection, to at least be able to make sure that DNS is secured and trustworthy (although that, of course, doesn't guarantee that there aren't any man-in-the-middle attacks).

    1. Re:As an end-user, is there some way to tell? by Timothy+Brownawell · · Score: 4, Informative

      As an end-user, is there some way for me to tell if a domain has been authenticated along the whole chain by DNSSEC?

      Yes, that's actually the entire point. Your computer ("stub resolver", the library all your programs use to do DNS queries) can either (1) not care, in which case you're really no safer than with regular DNS; (2) ask your ISPs resolver whether the records were signed, in which case you're slightly safer but not very much; or (3) demand that your ISPs resolver send it all the signatures along with the actual result, in which case you're about as safe as can be (someone would have to break/steal the keys used to sign the records, in order to cause trouble).

      What you as the person using the computer see, is of course dependent on the particular programs you use and what they do with the extra information that's available. Probably most don't do anything with it yet. :(

    2. Re:As an end-user, is there some way to tell? by cybaz · · Score: 2, Interesting

      There is a Firefox plugin that will give a key icon if the domain is signed with DNSSEC https://addons.mozilla.org/en-US/firefox/addon/64247/

    3. Re:As an end-user, is there some way to tell? by penguin359 · · Score: 2, Informative

      OpenBSD has a flag to report DNSSEC status.

    4. Re:As an end-user, is there some way to tell? by penguin359 · · Score: 2, Informative

      Actually, any validating resolver should drop DNS data that failed to validate. Most DNS data is currently unsigned which means that is can't be validated. That does not mean it failed to validate, just that it the data is not secure. A stub resolver can notify it's calling process whether the data is secure or not, but data that should be secure and failed to validate will never be passed to the process.

    5. Re:As an end-user, is there some way to tell? by penguin359 · · Score: 2, Informative

      To help with this situation, there are a number of Trust Anchor Repositories (TAR) that do a certain amount of testing on the trust anchors to verify they are correct. I use ISC's DLV repository on my home servers, but there is also SecSpider that has a large database of keys as well. They run multiple resolvers around the planet that regularly pull for DNS keys and verify that they are consistent across all servers. It's less secure than trust provided by the parent, but still extremely difficult for crackers and in the absence of a signed parent, a decent alternative, IMHO.

    6. Re:As an end-user, is there some way to tell? by jroysdon · · Score: 2, Informative

      FYI, OpenDNS does not and will not support DNSSEC. DNSSEC breaks their model of typo-squatting, and filtering in general.

  5. Re:But is there any working software? by TheRaven64 · · Score: 2, Interesting

    unless I'm missing something key here?

    The user interface. The browser should be able to warn you if you're not getting DNS records via DNSSEC.

    --
    I am TheRaven on Soylent News
  6. Do I need to do anything? by i_ate_god · · Score: 3, Informative

    I have a .org domain hosted on my server. Is there something I need to do?

    --
    I'm god, but it's a bit of a drag really...
    1. Re:Do I need to do anything? by Timothy+Brownawell · · Score: 4, Informative

      If you don't care whether the records for your domain(s) are secure, then no.

      If you do want to take advantage of the new functionality, then you need to serve some extra records and give some extra data to your registrar (I think it's just the public half of your key). I imagine the exact steps to do this would vary based on who your registrar is and which DNS server you're running.

  7. Re:Browsers by bill_mcgonigle · · Score: 2, Interesting

    Browsers? They shouldn't care about DNSSEC either way, all of that should be handled by the local resolver. To be fair I'm presuming here that you mean web browsers as opposed to say DNS browsers.

    What should the user see if a DNS failure occurs because of a failed signature? "Host not found?" Something like a TLS certificate mismatch dialog?

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Slashdot by Anonymous Coward · · Score: 2, Interesting

    When will slashdot.org be signed?

  9. .org was signed over a year ago by Anonymous Coward · · Score: 3, Informative

    Here's the announcement on the OARC DNS-Operations list
    https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/003940.html

    What has happened this week is that .org domain holders who have signed their domain may now submit their DS record via their registrar for inclusion in the .org zone, assuming that their particular registrar supports that.

    Up until now only a handful of signed .org domains have had their DS records included in the zone and this was done manually at the registry in order to facilitate testing before opening this up to registrars.

  10. Re:But is there any working software? by penguin359 · · Score: 2, Insightful

    It might be nice to know whether the Bank your using is using a signed zone, for example. If they don't, your prone to receiving DNS data that points to a crackers IP address. SSL does not protect against this attack if SSL is not used. Most people don't realize when SSL is in use or not and will gladly log into a site without SSL. SSL can only protect once the end user gets the right IP address of the SSLized Web Server they need to log into for their Bank.