Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Networking Security The Internet Technology

DNSSEC Comes To .Net Zone Today 62

Posted by kdawson
from the if-it-were-easy-we'd-be-done-already dept.
wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."
This discussion has been archived. No new comments can be posted.

DNSSEC Comes To .Net Zone Today

Comments Filter:
  • by 140Mandak262Jamuna (970587) on Friday December 10, 2010 @10:03AM (#34514078) Journal
    Looks like the lawyers of Microsoft were anticipating this move and were itching for a fight. They have sued the entire internet for infringing on their trademark .Net
  • Certificates in DNS. (Score:5, Interesting)

    by Timmmm (636430) on Friday December 10, 2010 @10:18AM (#34514172)

    Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.

    Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.

    • RFC4398 [ietf.org] defines a CERT record to store certificates, but I have no idea if it's supported by current DNS resolvers (I doubt it is).

      • by marka63 (1237718)

        It was supported by the very oldest resolvers. A good resolver library handles unknown record types and passes them back to the application to handle as a opaque blob. res_query() from BIND 4.8 can retrieve CERT records for the application. Just ask it to retrieve type 37 for you.

    • by amorsen (7485) <benny+slashdot@amorsen.dk> on Friday December 10, 2010 @11:08AM (#34514630)

      DNS is just a database. You can store anything you want in it. If you're storing something you want lots of people to care about, it's best to get a dedicated record type for it, but if you just want to play around you can use TXT records. There is a record type for certificates.

      So yes, you can do

      www.example.com IN TXT "this server should only be contacted by HTTPS. Do not gopher!"

      but web browsers are not likely to ask for that record. Feel free to develop a browser which does or ask the browser developers to include this feature.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.

      Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.

      There are CERT records that can have X.509 (SSL/TLS) certificates:

      http://tools.ietf.org/html/rfc4398

      Just like a browser can do a look up for the A record of a web site, it could also look up the CERT record if it was so inclined.

      With DNSSEC it is now possible to check the veracity of the CERT RR to prevent man-in-the-middle accounts. DNSSEC could be used as a substitute for certificate authorities.

      • by rduke15 (721841)

        With DNSSEC it is now possible to check the veracity of the CERT RR to prevent man-in-the-middle accounts. DNSSEC could be used as a substitute for certificate authorities.

        This is news for me, and extremely interesting. Are there any browsers/mail clients/whatever supporting this? Anything worth reading about it? Instructions on how to implement it and make some experimental use of it?

        Can we lobby for this to be implemented in browsers, email, and the rest?

        Currently, you either have to pay some CA, or be your own CA which nobody trusts, and have everyone install the cert or constantly click through the warnings
        maze.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Coincidentally, today this working group became official:

      http://www.ietf.org/mail-archive/web/keyassure/current/msg01078.html

      Objective:

      Specify mechanisms and techniques that allow Internet applications to
      establish cryptographically secured communications by using information
      distributed through DNSSEC for discovering and authenticating public
      keys which are associated with a service located at a domain name.

  • by Desert Raven (52125) on Friday December 10, 2010 @10:42AM (#34514408)

    Actually, .net was enabled sometime around 16:00 GMT yesterday. They just didn't announce it until today.

    I was doing testing of a DNSSEC system yesterday, and one of my test cases change state on me unexpectedly. (Signed zone in an unsigned parent)

  • Yesterday I thought we were planning on getting rid of DNS... huh.
  • I'm aware that DNSSEC is currently supported in test builds of PowerDNS, but consider this a vote for having it available in stable by the time .com gets signed..

    (In the interim, I figure having BIND slaves serving data off of PowerDNS would work, since PDNS can handle DNSSEC RR types)

    • by marka63 (1237718)

      BIND 9 has supported DNSSEC for the last 10 years. It was used in production testbeds (BIND 9.1 and 9.2) which lead to a redesign of the trust model at delegation points.

      BIND 9.3 onwards has supported the current DNSSEC with NSEC3 support being added in BIND 9.6. RSASHA256 (used in the root) and RSASHA512 support was added in BIND 9.6.2 and BIND 9.7.

I have not yet begun to byte!

Working...