Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root DNS Zone Now DNSSEC Signed

Posted by timothy on from the signing-of-the-times dept.

r00tyroot writes with news that slipped by yesterday, quoting from the Internet Systems Consortium's release: "ISC joined other key participants of the Internet technical community in celebrating the achievement of a significant milestone for the Domain Name System today as the root zone was digitally signed for the first time. This marked the deployment of the DNS Security Extensions (DNSSEC) at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers."

11 of 94 comments (clear)

  1. Great! by Anonymous Coward · · Score: 1, Insightful

    Can those of us who run our own dns servers flip a switch and start using this now?

    1. Re:Great! by Athanasius · · Score: 2, Insightful

      That depends on if the registry for your TLD supports DNSSEC. There has to be a chain of trust all the way down from the root nameservers to yours. .ORG does support DNSSEC now.

      I'm currently trying to find a registrar that definitely has DNSSEC support in their web management interface for .ORG domains. GoDaddy looks like a good bet on this point, but I'd also like IPv6 glue support (i.e. so I can create a new A record with an IPv6 address and then also set that as an NS record and have that data in the .ORG nameservers as glue for my domain).

  2. Software development like the good old days... by Anonymous Coward · · Score: 5, Insightful

    “ISC has been intimately involved with the development of DNSSEC for more than fourteen years..." "Today's milestone marked the final step in a seven month process of evaluation and incremental deployment, assuring operational readiness of systems, software, and processes necessary for any significant change to the DNS root."

    Just like the good old days. Not like the Rapid Application Development that pushes crap out the door that goes obsolete before all the bugs are fixed. I miss those days.

    1. Re:Software development like the good old days... by ergrthjuyt · · Score: 1, Insightful

      Rapid application development has its place. The point is to iterate quickly and have short milestones, it doesn't have anything to do with "shove stuff out the door and stop maintaining it."

      That said, the majority of software projects, in my experience, would be much better off adopting a more waterfall-like development model rather than that agile crap or whatever the latest buzzword is. Obviously a system designed that affects the entire fricken internet is one such example.

    2. Re:Software development like the good old days... by mcrbids · · Score: 3, Insightful

      Things have changed, a bit. The once radical idea of domain names have become so infrastructural that the failure of the DNS system would cause a DOS attack on the global economy. Basically, there probably isn't a single system that is more critical to the global economy than DNS except perhaps the IMF.

      So, 7 months to roll out... pretty aggressive, if you ask me! I can't imagine the pressure that people in these positions actually have to endure...

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    3. Re:Software development like the good old days... by phyrexianshaw.ca · · Score: 4, Insightful

      though your toilet may continue to work without DNS being there, the company that keeps your water flowing would likely slow to a crawl if they were unable to e-mail/call the partners they do business with.

      Voip servers, when calling other voip servers, will make DNS lookups to get IP's to establish such calls, though anything that's done over the PSTN just goes through the phone companies version of DNS, the CO.

      E-mail would fall apart inside the TTL of the cache entries. web browsing would quickly deteriorate, most debit machines that I've installed are hand coded with Static IP's, though most ABM's were DNS names. (because the service cost for ABM's is much higher than just leading the business owner/tech through changing IP's on a terminal over the phone)

      However, as the DNS system follows the CO ideology, the ISP's all along the way would have the simple ability to just switch away from the CO stored root zone, and only provide certain names resolvability. this would allow ISP's the ability to offer "services like Google! something not all providers are able to say!" as a promo, attracting people that don't know better.

      in my city, the vast majority of DNS names for city locations/devices are internal names anyways. none of them are accessible via the root zone. to systems like these the aforementioned changes would make no difference in the world.

  3. Re:For the rest of us... by Anonymous Coward · · Score: 2, Insightful

    Clients should really never be pointing to the root servers directly, so nothing.

  4. Say goodbye to... by valeo.de · · Score: 2, Insightful

    ...UDP-based DNS queries.

    --
    cat: /home/valeo/.sig: No such file or directory
    1. Re:Say goodbye to... by Anonymous Coward · · Score: 2, Insightful

      You'll find Ethernet everywhere. Most ISPs use 10GE and 40GE Links for long haul.

      And the IXes also use Ethernet for connections.

      Really, there are fewer uses of non-Ethernet connections every day.

  5. Re:Too complicated: designed by ISC for ISC? by TheRaven64 · · Score: 3, Insightful

    DNSSEC has always seemed to me as being overly complex for what it is actually doing (I'd say the same thing about the DNS protocol in general).

    Given that the DNS protocol is about the simplest protocol currently deployed on the Internet, and yet has managed to scale to the insane degree demanded of it, I can't help think that this implies that you have absolutely no idea what you are talking about.

    --
    I am TheRaven on Soylent News
  6. Re:Too complicated: designed by ISC for ISC? by XanC · · Score: 2, Insightful

    No, with normal encryption like this, you're trying to make sure that only the other party can decrypt and read your communication.

    What kills DRM is the attempt to allow the other party to read, but not decrypt, the communication. This is obviously silly.