Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNSSEC Comes To .Net Zone Today

Posted by kdawson on from the if-it-were-easy-we'd-be-done-already dept.

wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."

3 of 62 comments (clear)

  1. Re:More security in what way? by xMrFishx · · Score: 1, Interesting

    We'll all have to move to non US domains. Like .tr which stands for TERROR. Obviously. Oh wait. ICANN. No such thing as non US controlled. I wouldn't mind EUCANN (you can) existing. But no doubt the powers that be (read: powers that do because they cann) would have too much sway. I cringe each time the word hacktivists is used on the news.

  2. Certificates in DNS. by Timmmm · · Score: 4, Interesting

    Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.

    Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.

    1. Re:Certificates in DNS. by Anonymous Coward · · Score: 2, Interesting

      Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.

      Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.

      There are CERT records that can have X.509 (SSL/TLS) certificates:

      http://tools.ietf.org/html/rfc4398

      Just like a browser can do a look up for the A record of a web site, it could also look up the CERT record if it was so inclined.

      With DNSSEC it is now possible to check the veracity of the CERT RR to prevent man-in-the-middle accounts. DNSSEC could be used as a substitute for certificate authorities.