Educause Announces Plans To Sign .edu TLD With DNSSEC 49
jhutkd writes "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010.
This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments. Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy."
Good FA (Score:4, Informative)
Very informative and well written, kudos to the submitter. For those who don't want to RTFA and wonder what DNSSEC is (not all of us are computer nerds)
Re:Hm. (Score:5, Informative)
The itnernets is a freeway. .edu lane on the freeway will soon be secured with DNSSEC.
Each top level domain is a lane on that freeway.
The
DNSSEC is basically a signature on all the freeway signs.
school.edu - 5 miles
becomes
school.edu - 5 miles
-Signed by school.edu
This way those punks at pornschool.com can't put up their own fake freeway signs that say "school.edu - next exit" in an attempt to make you get off when you don't want to.
Re:Good FA (Score:3, Informative)
You've actually hit onto something that some people think is _very_ important:
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html
By putting the fingerprint of your SSL cert in a DNS record, you could do something like what you are suggesting... ymmv
Re:Why We Need It (Score:4, Informative)
Uhh... .org has already signed. .se (Sweden) has been signed for years.
If you want to get a list of all signed domains, check out:
http://secspider.cs.ucla.edu/ [ucla.edu]
Look up any TLDs you want there.
Re:Good FA (Score:2, Informative)
No, DNSSEC guarantees (via digital signature) that the DNS lookup for www.mycompany.com returns the correct IP address
SSL certs will guarantee that your browser's connection to that IP address (via https) is not being hijacked by a MTM adversary
Two very different attack vectors being protected there
And if you think Verisign, Twarte, et al, are going to give up that lucrative business, you so crazy
Re:Good FA (Score:5, Informative)
Are you aware that DNS has the ability to publish more than simply an IP address? Like say.. a key?
If DNSSEC supplies a secure channel to a trusted authority (which it sounds like it does), then I see no reason why it can't replace the certificate authorities. Likely the biggest impediment to this is simply the time required for DNSSEC to be supported down to the individual machine level.
Re:Good FA (Score:5, Informative)
But along with signing your DNS records, you can sign a text record containing a hash of your webservers SSL cert, that way anyone who can verify your DNS records can also check that the SSL cert they are being provided with belongs to the owner of the DNS entries. (You know these are correct and have not been MITMed because they are signed by the previous level of DNS, up to the root zone which you have to acquire in some secure way.