Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNSSEC Comes To .Net Zone Today

Posted by kdawson on from the if-it-were-easy-we'd-be-done-already dept.

wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."

6 of 62 comments (clear)

  1. Re:More security in what way? by Anonymous Coward · · Score: 5, Insightful

    The USA is your boogieman.

    but hey, it's popular to hate them, lets go for it! They are magically worse than everyone else (many of whom do exactly the same, some are better, some are worse) because they have power and you aren't with them.

    Grow up. They'll drop down a few pegs in the next 10-20 years, and the EU, China or both will become a more formidable power. Don't worry. I hope you are in one and can enjoy the other side of the idiocy you are propagating.

  2. Has been sued almost immediately. by 140Mandak262Jamuna · · Score: 4, Funny

    Looks like the lawyers of Microsoft were anticipating this move and were itching for a fight. They have sued the entire internet for infringing on their trademark .Net

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Re:More security in what way? by Spy+der+Mann · · Score: 5, Insightful

    I was thinking more or less the same thing.

    The point is that a good domain name system implementation needs to be secure against protocol attacks. DNSSEC secures it against hackers, but makes it more vulnerable to political attacks. Because DNS was designed to be centralized.

    The problem with currently emerging alternatives is that they're designed to be decentralized, making them vulnerable to protocol attacks. However, a good p2p implementation would use an underlying hierarchy based on the anonymity of the name authorities, and they would be able to establish further authority points. But that protocol isn't even invented yet as far as I recall, and it would require a hell lot of thought and encryption.

    In any case, more cryptographic security is better, not worse. If you want someone to blame, it's the inventors of DNS for establishing a US-based name authority. Oh wait, the Internet was invented in the US, by none other than the DARPA. Go figure.

  4. Certificates in DNS. by Timmmm · · Score: 4, Interesting

    Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.

    Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.

  5. Re:More security in what way? by Desert+Raven · · Score: 4, Informative

    You really don't know what DNSSEC is, do you?

    What DNSSEC does: DNSSEC provides a means for an end-user to determine the authenticity of the DNS data they receive by proving that only someone in control of the domain could have served the record.

    What DNSSEC does not do: DNSSEC does not provide for the security of data being exchanged between systems.

    With DNSSEC, each domain admin holds their own private keys. Nobody else should ever see them. Chain of authenticity is provided by each parent domain signing the delegation records provided by the child domain.

    So, for the "government" to "exert control" over your domain, they would have to completely spoof every parent of your domain. This would affect not just your domain, but all domains in that TLD. Pretty sure if everyone in .com all broke at the same time, someone would notice. In short, this makes it harder for someone to take control of your DNS. If the "government" wanted it to be easier, they never would have allowed the root to be signed.

    And let's face it, DNSSEC was not designed for you. DNSSEC is designed for businesses, banks and other large entities who are trying to protect their customers from being spoofed. It is just another tool like SSL. And, IMO, anyone who uses SSL certs should use DNSSEC. If you don't use SSL, it's highly unlikely you need DNSSEC.

    But hey, if all you want to do is spew ridiculous conspiracy theories, never mind, rant on.

  6. Re:More security in what way? by plcurechax · · Score: 4, Informative

    I was thinking more or less the same thing.

    The point is that a good domain name system implementation needs to be secure against protocol attacks. DNSSEC secures it against hackers, but makes it more vulnerable to political attacks.

    You do know that DNS root servers are located (and co-located) around the world (20+ countries I believe off the top of my head), and they are all equal. The only US-centric part is that the designated maintainers (ICANN and IANA) are US based organizations, in large part due to historically originating in the US, and this does have the benefit being one of the best legal protection for free-speech in the world.

    If you want an alternate system, edit your DNS root hints file.

    Join the Internet Society, ICANN, and your national domain registrar if you want to make difference.