Root DNS Zone Now DNSSEC Signed 94
r00tyroot writes with news that slipped by yesterday, quoting from the Internet Systems Consortium's release: "ISC joined other key participants of the Internet technical community in celebrating the achievement of a significant milestone for the Domain Name System today as the root zone was digitally signed for the first time. This marked the deployment of the DNS Security Extensions (DNSSEC) at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers."
Re:OS Support (Score:4, Informative)
DNSSEC is generally optional. You can now speak DNSSEC to your local DNS server and now it can stay DNSSEC all the way to the root domain (assuming there are no breaks). Prior to this you could authenticate your own DNS server's response, but you were never sure that it was talking to the right person. If you send a standard DNSSEC request out it will respond in a standard, albeit insecure, way. DNSSEC's sole purpose in life is to prevent DNS hijacking.
Re:For the rest of us... (Score:4, Informative)
8.8.8.8 or another dns provider. Clients should not talk to the roots. That or setup your own DNS server.
Re:What should DNS server administrators do? (Score:1, Informative)
http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/ [techscrawl.com]
Next time you have a question like this you might want to try this new thing called google. It is just amazing.
Re:For the rest of us... (Score:2, Informative)
http://code.google.com/speed/public-dns/faq.html#sla [google.com]
Re:For the rest of us... (Score:5, Informative)
here is a tool [grc.com] that lets you figure out which are the best DNS servers to use for your internet connection.
Re:Say goodbye to... (Score:4, Informative)
The Internet is not an Ethernet network. The Internet Protocol guarantees that datagrams under 576 bytes (including packet header) are not fragmented, but a 1500 byte Ethernet frame still will be. You don't find Ethernet anywhere other than the edges of the Internet. The backbones still use a variety of other standards.
Fragmentation is a problem for a UDP-based protocol, which is why pretty much any UDP-based protocol tells you not to use packets bigger than the network MTU (1500 bytes for Ethernet, 576 for the Internet).
Re:One More Error Message For Users To Ignore (Score:4, Informative)
Wrong. A bad signature will make the hostname unresolvable.
Re:For the rest of us... (Score:1, Informative)
That is not generally true. Clients should not configure root servers as one of their recursive resolvers. There's nothing wrong with using root servers as non-recursive resolvers though.
I recommend running Unbound [unbound.net] locally. Unbound is a small recursive resolver which validates records with DNSSEC. You can run it as a service on your Windows machine and point your "DNS" to 127.0.0.1. This way your computer does all the cryptographic checking. It will talk to the root servers directly, but only infrequently (thanks to caching) and only for a few records (the name servers of the top level domains).
Re:One More Error Message For Users To Ignore (Score:3, Informative)
You know this isn't the type of server that users ever actually /see/ right? Or have you never set up/run a DNS infrastructure before to know what DNSSec is actually for?
Re:OS Support (Score:1, Informative)
You can get a plugin for Firefox that does inform you if something is signed and validated, signed and not validated and signed and broken. But you need a caching server that does all the checks for you. If you don't have a chain of trust, either through the entire chain . -> com -> domain -> www or a Parent/Child lookup, DNSSEC doesn't provide any verification of the results.
DNSSEC Validator is the name of the add-on.
Re:Too complicated: designed by ISC for ISC? (Score:3, Informative)
DNSSEC has always seemed to me as being overly complex for what it is actually doing (I'd say the same thing about the DNS protocol in general).
...
When I read about DNSCurve it seems much simpler in achieving similar goals.
I read comments like this quite regularly. Actually, DNSCurve does something pretty different from DNSSEC.
DNSCurve encrypts communication between DNS clients and servers (or between DNS servers). Like with HTTPS or IMAPS, this means someone between you and your DNS provider can't see what you're looking up, or MITM you to change results.
But DNSCurve does nothing to guarantee you're getting a good answer. You have to trust your DNS provider: both that they are trustworthy and that they have their server secured properly. You also have to trust any recursive DNS lookups your provider does and each of their intentions and configurations.
DNSSEC, on the other hand, signs the records that you're returned (like PGP signed emails) but it doesn't encrypt the traffic. Someone could still snoop on your DNS traffic and see what you're looking up, but with the hierarchical set of signed records no-one except the authoritative name server can change the answer. Not your DNS provider nor any other resolvers they depend on.
It's the difference between getting your email over IMAPS and having it PGP signed -- you don't need to trust every intermediary. Yet I don't see anyone saying, "since we can now to SMTP and IMAP over SSL we don't need PGP or SMIME."
You could certainly use both: DNSCurve to provide encryption, so that no-one but your DNS provider knows what you're looking up, and DNSSEC so you know it is actually a valid record.
Re:For the rest of us... (Score:2, Informative)
Yea, opendns is awesome if you like the fact that they hijack www.google.com and direct it to their own servers.
Come to think of it, no, OpenDNS has never really been awesome, its just been better than absolute shit.
Re:Say goodbye to... (Score:1, Informative)
Thanks for the explanation. Interestingly, I noticed an exception to this 512 byte size limit - the 'unbound' resolver daemon. I run this on my LAN and from what I can see, it seems to ignore this 512 limit and continues to do full UDP lookups against the root name servers, which are still happy to serve a valid reply to this (here is a full tcpdump):
23:37:48.840440 00:18:7d:X:X:X > 00:21:d8:X:X:X, ethertype IPv4 (0x0800), length 70: X.X.X.X.11318 > 192.112.36.4.53: 39632% [1au] ANY? . (28)
23:37:48.895294 00:21:d8:X:X:X > 00:18:7d:X:X:X, ethertype IPv4 (0x0800), length 1193: 192.112.36.4.53 > X.X.X.X.11318: 39632*-| 7/0/1 SOA[|domain]
That be a 1193 byte UDP reply packet from G.ROOT-SERVERS.NET then, right? :-)
Personally, I think the limit is a bit of a farce now. Yes, it may have been needed in the old days, but things have drastically moved on now. However, for all those sysadmins who don't run this resolver, better check your firewalls and make sure TCP outbound port 53 is allowed otherwise you ain't gonna be resolving much.
Re:Say goodbye to... (Score:4, Informative)
Re:Great! (Score:3, Informative)
But .org does not have a full trust-chain setup from the root yet.
Only these have a full chain right now:
bg br cat cz na tm uk
org and gov, se and others may be signed, but the root does not have 'ds'-records yet for those tld's.