DNSSEC Comes To .Net Zone Today
62
wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."
Re:More security in what way? (Score:1, Interesting)
Certificates in DNS. (Score:5, Interesting)
Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.
Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.
Re:Certificates in DNS. (Score:2, Interesting)
Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.
Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.
There are CERT records that can have X.509 (SSL/TLS) certificates:
http://tools.ietf.org/html/rfc4398
Just like a browser can do a look up for the A record of a web site, it could also look up the CERT record if it was so inclined.
With DNSSEC it is now possible to check the veracity of the CERT RR to prevent man-in-the-middle accounts. DNSSEC could be used as a substitute for certificate authorities.