Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Networking Security

ARIN Implements DNSSEC 44

Posted by Soulskill from the takes-a-while-to-get-through-customs dept.
wmbetts writes with this quote from an announcement by the American Registry for Internet Numbers: "On 27 April, ARIN placed Delegation Signer (DS) records into in-addr.arpa and ip6.arpa. Now DNSSEC validation will occur from the root down if you properly set up your DNSSEC-aware recursive resolver. For most DNSSEC-aware recursive resolver operators, nothing needs to be done for this change to be in effect as long as you have configured your DNSSEC-aware server to use ICANN's trust anchor for the root zone."
This discussion has been archived. No new comments can be posted.

ARIN Implements DNSSEC More

ARIN Implements DNSSEC

Comments Filter:

  • DNS-SEC (Score:2, Interesting)

    by Jeremiah Cornelius ( 137 ) on Friday April 29, 2011 @05:44PM (#35979876) Homepage Journal

    Introducing the intractable problems of commercial CAs to the remediable problems of DNS.

    Great solution.

  • ISP Hijacking (Score:5, Interesting)

    by theshowmecanuck ( 703852 ) on Friday April 29, 2011 @05:51PM (#35979938) Journal
    Will this stop ISP hijacking the 404 not found messages and redirecting us to their spam?

  • Re:DNSSEC (Score:5, Interesting)

    by kevmeister ( 979231 ) on Friday April 29, 2011 @06:00PM (#35980038) Homepage

    You are confused. DNSSEC (no hyphen) does not use certificates nor CAs.

    DNSSEC uses an anchored chain of trust system applicable to only hierarchical systems. It is similar in may ways to PGP, but, as long as a DNS operator chooses to trust a root key (not cert), the rest of the trust is cryptographically chained to the bottom of the tree.

    The system does place a great deal of responsibility on the root, but, if you read the way the keys are handled, the actual "keys to the kingdom" are spread across a number of people, all well known and not a part of ICANN. A fair percentage are academics. It is a very elegant and very carefully thought out system and is cryptographically provable.

    Also, similar to SSH, only you hold the private keys for your zones. You don't give those to anyone.

  • Maybe we should get some software support? (Score:2, Interesting)

    by Anonymous Coward on Friday April 29, 2011 @06:01PM (#35980046)

    All of these stories on DNSSEC make me wonder about what software supports it. As far as I know, Windows 7 and the various *BSD and Linux operating systems have a resolver that supports DNSSEC. No browser I am aware of can tell you if the security status based on DNSSEC. There is not really a point for DNSSEC if you cannot indicate its status somehow to the user or have the browser reject spoofed pages, or have the browser force secure resolving, etc.

Slashdot Top Deals

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Close