Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

The Internet Networking Security IT

Root DNS Zone Now DNSSEC Signed 94

Posted by timothy
from the signing-of-the-times dept.
r00tyroot writes with news that slipped by yesterday, quoting from the Internet Systems Consortium's release: "ISC joined other key participants of the Internet technical community in celebrating the achievement of a significant milestone for the Domain Name System today as the root zone was digitally signed for the first time. This marked the deployment of the DNS Security Extensions (DNSSEC) at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers."
This discussion has been archived. No new comments can be posted.

Root DNS Zone Now DNSSEC Signed

Comments Filter:
  • by oldhack (1037484) on Friday July 16, 2010 @10:38PM (#32934824)
    What do we need to do on our side, the DNS client side?
  • by Anonymous Coward on Friday July 16, 2010 @10:54PM (#32934868)

    DNSSEC has always seemed to me as being overly complex for what it is actually doing (I'd say the same thing about the DNS protocol in general).

    It seems to me that DNSSEC was "designed by ISC for ISC" in the sense that the only people who have the time, resources and willpower to setup Bind/DNSSEC correctly are running the root nameservers. However I would have thought the interface between users and multitudes of privately operated nameservers would be the most critical aspect of securing DNS. If administrators of authoritative and caching nameservers (ranging in size from small companies through to technology giants and ISPs) are unable to correctly setup DNSSEC because it is too complex, what have you gained? A poorly configured implementation of DNSSEC could be less secure on the basis that you have more lines of code containing bugs and more configuration options to get wrong.

    When I read about DNSCurve it seems much simpler in achieving similar goals.

    So my question is, does DNSSEC really have to appear so complicated? How do they expect nameserver administrators to properly configure their complex DNSSEC-enabled name servers?

  • by h4rr4r (612664) on Friday July 16, 2010 @11:14PM (#32934930) []

    Looks pretty easy at least as easy as setting up bind and a few zones.

  • by Anonymous Coward on Saturday July 17, 2010 @01:23AM (#32935298)

    that the USoA government has broken its promises not to meddle. It's sitting on the keys even if through its shills. Of course, the failure to come through on this "hands on" thing was almost inevitable seeing the last sixty years or so of meddling, failure to live up to treaties, and so on. I'll forgive them this once if they manage to spin off the holding of the keys into something like a council of keyholders, at most 10% of them american citizens, that are to the last member chosen by the internet community, not just governments and certainly not just one government. It doesn't have to be an intrusive council; all they have to do is safeguard the keys. But it won't happen. The USoA likes to meddle too much. Land of the free, bravely pissing on other people's freedom. Ha ha.

  • Re:OS Support (Score:3, Interesting)

    by TheRaven64 (641858) on Saturday July 17, 2010 @03:36AM (#32935640) Journal

    A better question is whether there is any portable API for accessing this information. When I call getaddrinfo(), can I tell whether a particular address is DNSSEC-signed? OpenBSD has a flag for this, but is it going to be standardised? Do other platforms have anything equivalent? If it is using DNSSEC, can I also check easily if there is an IPSECKEY record and establish an IPsec connection using it if there is?

  • I wonder whether you're right.

    What kind of services rely on DNS? Web and email communication, obviously, but would voice communication either via cell phones or landlines break down? I suppose much of the voice traffic is routed over the same physical backbone as the Internet, but does it share the same server infrastructure including DNS? What about bank transactions? Are companies smart enough to handle internal communication (even if it touches the net) in a way that would work without DNS? Or would my toilet refuse working without DNS?

    Also: considering the distributed, caching nature of DNS, how long would it take for a problem in the root zone to affect people? (Wasn't there a root zone incident a short while back?) Would that give people enough time to revert a botched rollout?

  • Re:Great! (Score:2, Interesting)

    by penguin359 (763783) on Saturday July 17, 2010 @08:54PM (#32940446) Homepage
    Actually, you can't transfer a domain when it's close (~30 days I think) to expiring to avoid it expiring mid-tranfer. You shouldn't not loose any time off of the original registration. It should just extend it so it's probably better to transfer now. Check on the rules for that from both registrars.

The beer-cooled computer does not harm the ozone layer. -- John M. Ford, a.k.a. Dr. Mike