Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
Security

Submission + - .edu announces plans to sign with DNSSEC (ucla.edu)

Submitted by
jhutkd
jhutkd writes: "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010.

This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments! Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy!"

Comment Re:Why DNSSEC? (Score 1) 89

by jhutkd (#28211941) Attached to: .ORG Zone Signed With DNSSEC

Rather than start w/ his example, consider the attacks seen after the Kaminsky announcement: MX records were being forged. Now I can poison an ISP's caches w/ the wrong records for email of any site and all of your email will go through me. Do you ever send anything interesting over email? ;) This was seen in the wild.

WRT the video, at Blackhat there was a presentation demoing the creation of forged SSL certs using weak CAs. Now, if DNS hands you an IP for a domain that really belongs to a MitM. Now your browser _thinks_ that it is talking to the real domain and just needs a cert that matches. Poof, wormhole attack.

Really, the problem here is your browser/OS comes bundled w/ a bunch of very poorly maintained root CAs that you should "trust". Who knows who many of them are, but if your browser is happy with a cert from any of them for any website, you get a nice false sense of security. DNSSEC doesn't address this specific problem. Rather, it makes it perfectly clear what DNS data can be verified. If you go to a rogue website, that is a higher level problem, but at least with DNSSEC you _know_ when you're at a rogue web site. SSL conflates too many things and can be dangerous if misunderstood.
Security

Submission + - ICANN and NIST Announce Plans to Sign the DNS Root (icann.org)

Submitted by
jhutkd
jhutkd writes: "On June 3rd, 2009, ICANN and NIST announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009. This is a huge step forward for the deployment of DNSSEC. Details are available at:

http://www.icann.org/en/announcements/announcement-2-03jun09-en.htm

— and —

http://www.nist.gov/public_affairs/releases/dnssec_060309.html"

Comment Re:Why DNSSEC? (Score 3, Informative) 89

by jhutkd (#28199885) Attached to: .ORG Zone Signed With DNSSEC

DNSSEC address issues that include the Kaminsky cache poisoning attack from last summer. The idea of DNSSEC is that when you get a DNS record back, you can use crypto to verify that it the actual record (such as the IP address(es) for a web site) served by a domain.

If you're seriously interested in _why_ someone should care about DNSSEC, check out this 4 minute tech-talk:
      http://www.youtube.com/watch?v=Yt-oJTj0j0o

Comment Re:Hm, that and DNSsec sucks ass (Score 1) 101

by jhutkd (#25725999) Attached to: DNS Inventor Tackles Flaw

Wrong... RFC's go through lengthy comment periods as drafts and though there are none that get 100% support, their purpose is to serve as specifications so people know how to implement protocols (for example).

DNSSEC had been widely implemented, tested, argued over for about 10 years before the final RFCs... Check it out... >10 years

Know your history dude.

Slashdot Top Deals

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Close