Comment Re:Why We Need It (Score 4, Informative) 49
Uhh...
If you want to get a list of all signed domains, check out:
Look up any TLDs you want there.
Comment Re:Good FA (Score 3, Informative) 49
You've actually hit onto something that some people think is _very_ important:
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html
By putting the fingerprint of your SSL cert in a DNS record, you could do something like what you are suggesting... ymmv
Submission + - .edu announces plans to sign with DNSSEC (ucla.edu)
jhutkd writes: "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010.
This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments! Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy!"
This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through
Comment Re:Why DNSSEC? (Score 1) 89
Rather than start w/ his example, consider the attacks seen after the Kaminsky announcement: MX records were being forged. Now I can poison an ISP's caches w/ the wrong records for email of any site and all of your email will go through me. Do you ever send anything interesting over email?
WRT the video, at Blackhat there was a presentation demoing the creation of forged SSL certs using weak CAs. Now, if DNS hands you an IP for a domain that really belongs to a MitM. Now your browser _thinks_ that it is talking to the real domain and just needs a cert that matches. Poof, wormhole attack.
Really, the problem here is your browser/OS comes bundled w/ a bunch of very poorly maintained root CAs that you should "trust". Who knows who many of them are, but if your browser is happy with a cert from any of them for any website, you get a nice false sense of security. DNSSEC doesn't address this specific problem. Rather, it makes it perfectly clear what DNS data can be verified. If you go to a rogue website, that is a higher level problem, but at least with DNSSEC you _know_ when you're at a rogue web site. SSL conflates too many things and can be dangerous if misunderstood.
Submission + - ICANN and NIST Announce Plans to Sign the DNS Root (icann.org)
jhutkd writes: "On June 3rd, 2009, ICANN and NIST announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009. This is a huge step forward for the deployment of DNSSEC. Details are available at:
http://www.icann.org/en/announcements/announcement-2-03jun09-en.htm
— and —
http://www.nist.gov/public_affairs/releases/dnssec_060309.html"
http://www.icann.org/en/announcements/announcement-2-03jun09-en.htm
— and —
http://www.nist.gov/public_affairs/releases/dnssec_060309.html"
Comment Re:Why DNSSEC? (Score 3, Informative) 89
DNSSEC address issues that include the Kaminsky cache poisoning attack from last summer. The idea of DNSSEC is that when you get a DNS record back, you can use crypto to verify that it the actual record (such as the IP address(es) for a web site) served by a domain.
If you're seriously interested in _why_ someone should care about DNSSEC, check out this 4 minute tech-talk:
http://www.youtube.com/watch?v=Yt-oJTj0j0o
Slashdot Top Deals
You can tune a piano, but you can't tuna fish. You can tune a filesystem, but you can't tuna fish. -- from the tunefs(8) man page
