Root DNS Zone Now DNSSEC Signed 94
r00tyroot writes with news that slipped by yesterday, quoting from the Internet Systems Consortium's release: "ISC joined other key participants of the Internet technical community in celebrating the achievement of a significant milestone for the Domain Name System today as the root zone was digitally signed for the first time. This marked the deployment of the DNS Security Extensions (DNSSEC) at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers."
For the rest of us... (Score:2, Interesting)
Too complicated: designed by ISC for ISC? (Score:1, Interesting)
DNSSEC has always seemed to me as being overly complex for what it is actually doing (I'd say the same thing about the DNS protocol in general).
It seems to me that DNSSEC was "designed by ISC for ISC" in the sense that the only people who have the time, resources and willpower to setup Bind/DNSSEC correctly are running the root nameservers. However I would have thought the interface between users and multitudes of privately operated nameservers would be the most critical aspect of securing DNS. If administrators of authoritative and caching nameservers (ranging in size from small companies through to technology giants and ISPs) are unable to correctly setup DNSSEC because it is too complex, what have you gained? A poorly configured implementation of DNSSEC could be less secure on the basis that you have more lines of code containing bugs and more configuration options to get wrong.
When I read about DNSCurve it seems much simpler in achieving similar goals.
So my question is, does DNSSEC really have to appear so complicated? How do they expect nameserver administrators to properly configure their complex DNSSEC-enabled name servers?
Re:Too complicated: designed by ISC for ISC? (Score:4, Interesting)
http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/ [techscrawl.com]
Looks pretty easy at least as easy as setting up bind and a few zones.
I know none of you care (Score:0, Interesting)
that the USoA government has broken its promises not to meddle. It's sitting on the keys even if through its shills. Of course, the failure to come through on this "hands on" thing was almost inevitable seeing the last sixty years or so of meddling, failure to live up to treaties, and so on. I'll forgive them this once if they manage to spin off the holding of the keys into something like a council of keyholders, at most 10% of them american citizens, that are to the last member chosen by the internet community, not just governments and certainly not just one government. It doesn't have to be an intrusive council; all they have to do is safeguard the keys. But it won't happen. The USoA likes to meddle too much. Land of the free, bravely pissing on other people's freedom. Ha ha.
Re:OS Support (Score:3, Interesting)
A better question is whether there is any portable API for accessing this information. When I call getaddrinfo(), can I tell whether a particular address is DNSSEC-signed? OpenBSD has a flag for this, but is it going to be standardised? Do other platforms have anything equivalent? If it is using DNSSEC, can I also check easily if there is an IPSECKEY record and establish an IPsec connection using it if there is?
Re:Software development like the good old days... (Score:3, Interesting)
I wonder whether you're right.
What kind of services rely on DNS? Web and email communication, obviously, but would voice communication either via cell phones or landlines break down? I suppose much of the voice traffic is routed over the same physical backbone as the Internet, but does it share the same server infrastructure including DNS? What about bank transactions? Are companies smart enough to handle internal communication (even if it touches the net) in a way that would work without DNS? Or would my toilet refuse working without DNS?
Also: considering the distributed, caching nature of DNS, how long would it take for a problem in the root zone to affect people? (Wasn't there a root zone incident a short while back?) Would that give people enough time to revert a botched rollout?
Re:Great! (Score:2, Interesting)