Feeds

back to article DNSSEC finally goes mainstream

DNSSEC, a more secure version of the internet domain name to IP address lookup protocol, was enabled on the .com top-level domain on Thursday. The move by VeriSign, the operator of .com, marks an important milestone in the adoption of the technology, now accessible to 80 million registered domains. The internet's root servers …

COMMENTS

This topic is closed for new posts.
Stop

More than 25 top-level domains...have enabled DNSSEC since then

It might also be useful to point out that Nominet, the UK's domain registry, actually signed the .uk TLD on 1st March 2010 - before even the root servers were signed. They set a date of March 2011 for signing of .co.uk domains; this has now passed but we haven't had any further word from them.

It would be great if we could get an update on the status of the rollout in the UK.

0
0
Anonymous Coward

co.uk

The problem with signing co.uk is that it is served from the same servers as uk, normally each level gives the signature for the level below along with the referral to the servers handling it but if both layers are served from the same servers then this is skipped, the servers will just return a referral for theregister.co.uk along with the keys for theregister.co.uk signed by "co.uk" - but the resolver was only given the "uk" keys with the referral to the "uk" servers. The only work around for this is performing extra queries for the missing data (and last i checked several resolvers just failed rather than doing this).

DNSSEC is a complex badly designed poorly tested solution looking for a problem, and has caused countless problems that didn't exist before (ask .fr about their recent outage). Most of DNSSECs functionality wasn't tested properly and couldn't be tested properly until after it has been deployed and it's too late to fix things - which is why we have a situation where BIND is releasing empty updates just to make people restart their resolvers to limit the damage caused by a bug that breaks everything whenever a new zone is signed.

0
0
Anonymous Coward

can you point to some specifics?

Or must we google it and hope we find the right information?

I have tried to set up DNSSec before, unsuccessfully. I don't know whether the problem was with me, or the lousy documentation: e.i. not using 'system a' and 'system b' type indentifiers, but instead using 'local' and 'remote' interchangably.

1
1
Stop

Experts?

Who appointed them?

0
0
Pint

A

The Committee.

0
0
Paris Hilton

please apply clue

What are "IP results returned by a DNS query"?

Last time I checked, a DNS query returned resource records. Some of these might represent IP addresses.

Oh and it's not just .com that got signed yesterday. .net did too. Both TLDs use the same back-end registry.

Paris icon because her back-end regularly gets lookups.

1
0

.net

Actually it was just com - net got signed in december.

0
0
Silver badge
Happy

Re: Paris icon because her back-end regularly gets lookups.

That made me chuckle.

+1 Internets for you!

0
0
Anonymous Coward

Can't blame hacks for getting facts wrong...

... when over half the "security experts" in fact know nothing and unsurprisingly aren't very effective at this "delivering security" thing. Predictably, you end up with a lot of cargo culting.

Of course it's often enough the hacks that propel attention seekers to "expert" or even "guru" status without much checking or balancing at all. But that's a different discussion.

I for me know what DNSsec is and what it does but that's about it. Oh, and that there's a lot of contention about whether the solution is any good or fit for purpose or whatever. And of course there's an alternative by DJB that is better in some really narrow technical aspects but probably a lot worse for real-world use, as most of his code tends to be.

DNS is amazingly resilient, like how a certain ISP had half its servers answer with port zero (really) in the packets and they never noticed (really). Or how the IPv6 bunch badly borked the DNS design by inventing AAAA (_and_ A6) records instead of moving over to an inet6 domain. There's a reason multiple domains exist, and this is it, you know. So I'm not surprised DNSsec is such a bodge.

But then, we recently were forced to conclude (again, really) that the PKI is a complete crock. And as for PGP/GPG, read _why johnny can't encrypt_. That's the state of using crypto these days. What bothers me most, though, is the active refusal of (especially certain high-profile) "security consultants" to even consider the political ramifications of forcing governments to do anything, like signing the root. Yes, ICANN is still very much a government puppet, as much as everyone would like to deny it. Playing the ostrich doesn't make that go away. We simply can't afford to ignore elephants like that.

For now, likely nothing will happen. But building a threat of impending balkanisation right into your infrastructure isn't the smartest or most forward-looking thing to do.

1
1
This topic is closed for new posts.