ARIN Implements DNSSEC

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Friday April 29, 2011 @09:24AM from the takes-a-while-to-get-through-customs dept.

wmbetts writes with this quote from an announcement by the American Registry for Internet Numbers: "On 27 April, ARIN placed Delegation Signer (DS) records into in-addr.arpa and ip6.arpa. Now DNSSEC validation will occur from the root down if you properly set up your DNSSEC-aware recursive resolver. For most DNSSEC-aware recursive resolver operators, nothing needs to be done for this change to be in effect as long as you have configured your DNSSEC-aware server to use ICANN's trust anchor for the root zone."

3 of 44 comments (clear)

Min score:

Reason:

Sort:

ISP Hijacking by theshowmecanuck · 2011-04-29 09:51 · Score: 4, Interesting

Will this stop ISP hijacking the 404 not found messages and redirecting us to their spam?

--
-- I ignore anonymous replies to my comments and postings.
1. Re:ISP Hijacking by Necroman · 2011-04-29 10:04 · Score: 4, Informative
  
  It all depends on how the Hijacking works. All this (DNSSEC) does is validate that the DNS information (IP address) for a given hostname is correct. This will stop rogue DNS servers from reporting an incorrect IP address for a give hostname.
  From my understand of the ISP hijacking of web traffic, they are doing deep inspection of the packet data, looking for requests that are HTTP, and inserting data (be it a redirect or ads). They are performing a man-in-the-middle attack on unencrypted data.
  The only way to stop ISP hijacking is to use https everywhere. Even with that, ISPs could use man-in-the-middle and inject a new SSL cert, but it probably wouldn't be signed by a trusted source (so the user would get an evil warning message from their browser).
  
  --
  Its not what it is, its something else.
Re:DNSSEC by kevmeister · 2011-04-29 10:00 · Score: 5, Interesting

You are confused. DNSSEC (no hyphen) does not use certificates nor CAs.
DNSSEC uses an anchored chain of trust system applicable to only hierarchical systems. It is similar in may ways to PGP, but, as long as a DNS operator chooses to trust a root key (not cert), the rest of the trust is cryptographically chained to the bottom of the tree.
The system does place a great deal of responsibility on the root, but, if you read the way the keys are handled, the actual "keys to the kingdom" are spread across a number of people, all well known and not a part of ICANN. A fair percentage are academics. It is a very elegant and very carefully thought out system and is cryptographically provable.
Also, similar to SSH, only you hold the private keys for your zones. You don't give those to anyone.

--
Kevin Oberman, Network Engineer, Retired