×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Educause Announces Plans To Sign .edu TLD With DNSSEC

timothy posted more than 4 years ago | from the seeping-in-there dept.

The Internet 49

jhutkd writes "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010. This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments. Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

49 comments

Good FA (3, Informative)

mcgrew (92797) | more than 4 years ago | (#29303409)

Very informative and well written, kudos to the submitter. For those who don't want to RTFA and wonder what DNSSEC is (not all of us are computer nerds)

Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process.

Re:Good FA (4, Interesting)

nine-times (778537) | more than 4 years ago | (#29303595)

One thing that I'm not clear on at all but would like to understand is, is there any chance that DNSSEC will let us get rid of SSL certificate authorities?

Maybe that's a dumb question, but what I have in mind is this: if we can provide authenticated/signed pairing of DNS information to IP addresses, could we also put a SSL certificate into the mix and therefore know that the SSL cert is valid for that domain name? Wouldn't that at least give us SSL certs that verified the site was owned by the person who owned the domain, even if it didn't do any kind of "Extended validation" stuff?

Re:Good FA (3, Informative)

jhutkd (217409) | more than 4 years ago | (#29303645)

You've actually hit onto something that some people think is _very_ important:

http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html

By putting the fingerprint of your SSL cert in a DNS record, you could do something like what you are suggesting... ymmv

Re:Good FA (1)

tialaramex (61643) | more than 4 years ago | (#29309179)

Yes, and this also exists today (assuming you have working DNSSEC) for OpenSSH.

That is, OpenSSH is already programmed to be able to confirm a remote host fingerprint by looking in DNS. This means "ssh foo.example.com" would reliably connect you to the machine that example.com's owners call 'foo' subject only to interference from the COM registry operator and the DNS root. If someone spoofs DNS, DNSSEC will report it, if they try to spoof the machine itself or TCP/IP, the OpenSSH fingerprint won't match. If they try a Man-in-the-middle attack the protocol design leaves them just moving your encrypted data with no clue what it says.

A public key trust system needs a trust root, but DNS conveniently already has one. We may fix a remarkable number of technical problems via DNSSEC, once we get the root signed and the political problems solved.

Re:Good FA (2, Informative)

Anonymous Coward | more than 4 years ago | (#29303929)

No, DNSSEC guarantees (via digital signature) that the DNS lookup for www.mycompany.com returns the correct IP address

SSL certs will guarantee that your browser's connection to that IP address (via https) is not being hijacked by a MTM adversary

Two very different attack vectors being protected there

And if you think Verisign, Twarte, et al, are going to give up that lucrative business, you so crazy

Re:Good FA (4, Informative)

Vellmont (569020) | more than 4 years ago | (#29304015)

Are you aware that DNS has the ability to publish more than simply an IP address? Like say.. a key?

If DNSSEC supplies a secure channel to a trusted authority (which it sounds like it does), then I see no reason why it can't replace the certificate authorities. Likely the biggest impediment to this is simply the time required for DNSSEC to be supported down to the individual machine level.

Re:Good FA (1)

shentino (1139071) | more than 4 years ago | (#29304845)

Like GP said.

If you think Verisign is going to give up that lucrative business, you are crazy.

Re:Good FA (2, Interesting)

Timothy Brownawell (627747) | more than 4 years ago | (#29305655)

Like GP said.

If you think Verisign is going to give up that lucrative business, you are crazy.

1) They don't have a choice in the matter.

2) This is probably why they're pushing "Extended Validation" certs now.

Re:Good FA (0)

Anonymous Coward | more than 4 years ago | (#29309209)

Sure, Verisign will have "problems" signing COM and they'll try to charge extra for it, and...

It doesn't matter. DNS is a hierarchy. Verisign can't stop Sweden, or .org or hundreds of other places in the hierarchy from giving away signed domains. And every browser vendor will want to support this great new feature. So before you can say "Internet Explorer 6 is obsolete we don't support it" there will be no more lucrative certification business for Verisign.

They were too greedy and incompetent. If a basic cert cost me $5 for five years I'd have a dozen already. But Verisign bled people for every cent they could get. With DNSSEC it will cost me $0 for as long as I control the domain.

Re:Good FA (1)

DarkOx (621550) | more than 4 years ago | (#29305739)

Simply ensuring your dns is not compromised is not enough. Just because you have correct DNS information does not ensure you know who your talking with, yes you have the right, IP,MX,TXT or whatever record but my evil router up stream can still NAT or route your traffic address to that IP to my evil spoofing web server.

Re:Good FA (4, Informative)

RalphSleigh (899929) | more than 4 years ago | (#29306321)

But along with signing your DNS records, you can sign a text record containing a hash of your webservers SSL cert, that way anyone who can verify your DNS records can also check that the SSL cert they are being provided with belongs to the owner of the DNS entries. (You know these are correct and have not been MITMed because they are signed by the previous level of DNS, up to the root zone which you have to acquire in some secure way.

Re:Good FA (0)

Anonymous Coward | more than 4 years ago | (#29304565)

That's not what nine-times meant. DNSSEC establishes a trust hierarchy: The user trusts the root key owner to only sign resource records of legitimate top level domains, whose owners only sign resource records created by legitimate (second level) domain owners, and so on. Verification of the signatures means checking that the owner of the domain, not someone else, created the resource records. If one of the resource records is a public key, then the browser could use that public key to authenticate an SSL connection with the web server at that domain. Right now we use a different trust hierarchy for SSL, anchored in the certificate store of the browser or operating system: The SSL certificate authorities. The SSL CA hierarchy was meant to provide more strict identity verification, but for several years now SSL certificates just prove domain ownership. That could just as well be provided by DNSSEC. The CAs have already reacted: Their new product is called "Extended Validation Certificates." In other words: They promise to do what they were meant to do from the start: Link certificates to identities, not domains.

Re:Good FA (4, Interesting)

nine-times (778537) | more than 4 years ago | (#29305113)

Yeah, I wasn't under the impression that getting rid of CAs was the purpose of DNSSEC, but it seemed like one possible side effect. Just to spell out my thoughts a bit more, when you say that DNSSEC guarantees that the DNS lookup returns the correct IP, I'm under the impression that "correct" is defined as "whatever the domain owner says is correct", i.e. it enables you to verify that whatever is in the DNS record is actually what the domain holder put in his DNS record.

Now I'm not claiming to understand the intricacies of how DNSSEC works, but it seems to me that once you have a signature that is able to verify that information comes from a given domain owner, you probably have the infrastructure in place for passing other information comes from the domain holder, too. So even if DNSSEC can't do this right now, you've possibly laid the groundwork for someone to stick a public key into the DNS record for a given server. If you can verify that the public key given for a particular server is authentic, then that public key can be used to prevent a man-in-the-middle attack.

I mean, ultimately what CAs are doing in most cases is verifying that a small bit of data, i.e. the public key for SSL encryption, is actually being provided by the domain that it's claiming to come from. If you can do this through your domain registrar and DNS servers, then CAs become unnecessary except for any extended validation of identity that you want to do.

But this would be very important in my mind, because it might allow SSL to become essentially free in cases where extended validation isn't necessary.

Re:Good FA (0)

Anonymous Coward | more than 4 years ago | (#29309263)

This, plus the trick that lets you have SSL on VHosts (needs any recent browser, except on Windows where it needs a recent browser + a new OS, Vista or better) gets you secure browsing for every blog, podcast, photo gallery and web forum. Plus it can secure everyone's OpenID, and numerous other things.

I'd say you'll see it start to appear (as a free option with caveats about browser support) from some cheap hosting companies in the next 12-18 months, and everyone will forget unsecured web pages ever existed in 10-15 years.

Re:Good FA (1)

marka63 (1237718) | more than 4 years ago | (#29318081)

This is a question you need to ask browser vendors. Putting a self-signed CERT in the DNS is relatively easy. There is even a specific record type, CERT, to store it in. Signing the records it the same as signing any other record in the DNS. The hard part is convincing browser vendors to look in the DNS for the CERT record and to establish the chain of trust back to a DNS trust anchor.

To do this the browser needs secure path (by using TSIG, SIG(0) or TKEY) to a validating resolver it trusts and look at the AD bit in the response or it needs to use DNS trust anchors itself and do the necessary validation of the DNS trust chain.

All the bits of technology the browser vendors need are they to do this. It's just a matter of putting them together.

Re:Good FA (1)

nine-times (778537) | more than 4 years ago | (#29320631)

Well I would guess that browser vendors would implement it if DNS records were generally signed and therefore trustworthy. Or at least decent browsers would.

Why We Need It (1)

eldavojohn (898314) | more than 4 years ago | (#29303609)

By digitally signing DNS responses with public-key cryptography, we will be improving the security of one critical aspect of the Internetâ"the Domain Name Systemâ"which otherwise could be exploited for the purposes of fraud or even cyberterrorism. It is our hope that with widespread deployment DNSSEC will help improve Internet security for the higher education community.

Some more information on why we need this can be found on Wikipedia's page for DNS cache poisoning [wikipedia.org] . It's great this is going out to the "higher education community" but when is it going to catch on world wide? Is it like IPv6 where we need to wait for a catastrophic failure? One day when www.google.com resolves to the IP of www.malwareinyourface.com for some noticeable fraction of the populace?

Re:Good FA (1)

svtdragon (917476) | more than 4 years ago | (#29304363)

Yes, very well written. And in other news, DOE to do NEPA's EIS on BNFL's AMWTP at INEEL after SRA protest [probablybadnews.com] .

Re:Good FA (0)

Anonymous Coward | more than 4 years ago | (#29305931)

Department of Energy to do National Environmental Policy Act's Environmental Impact Statement on British Nuclear Fuels Ltd's Advanced Mixed Waste Treatment Project at Idaho National Engineering and Environmental Laboratory after Snake River Alliance protest.

(Yes, the last one is most definitely Snake River Alliance, which is an Idaho association with significant concerns about Nuclear waste.)

Hm. (1, Funny)

Anonymous Coward | more than 4 years ago | (#29303419)

I understand most of the words, but I don't understand the implication. Will somebody please form a car analogy?

TIA

Re:Hm. (5, Informative)

sexconker (1179573) | more than 4 years ago | (#29303513)

The itnernets is a freeway.
Each top level domain is a lane on that freeway.
The .edu lane on the freeway will soon be secured with DNSSEC.

DNSSEC is basically a signature on all the freeway signs.

school.edu - 5 miles

becomes

school.edu - 5 miles
-Signed by school.edu

This way those punks at pornschool.com can't put up their own fake freeway signs that say "school.edu - next exit" in an attempt to make you get off when you don't want to.

Re:Hm. (5, Funny)

localman57 (1340533) | more than 4 years ago | (#29303569)

This way those punks at pornschool.com can't put up their own fake freeway signs that say "school.edu - next exit" in an attempt to make you get off when you don't want to.

Best...Double-Entendre...Ever...

Re:Hm. (0)

Anonymous Coward | more than 4 years ago | (#29304013)

pornschool.com? Your ideas intrigue me. Can I subscribe to your newsletter?

Re:Hm. (1)

poopdeville (841677) | more than 4 years ago | (#29303531)

It means that you can find your car in a parking garage potentially filled with cars nearly identical to yours. Moreover, your key will only fit your car.

Re:Hm. (4, Interesting)

morgan_greywolf (835522) | more than 4 years ago | (#29303591)

Okay. Educause Motors Corp. makes a model called the EduCar that they will sell only to educational institutions, like college campuses or school districts. Earlier models didn't have locks or keys, but instead used a system whereby you had to show to your educational institution paperwork to the onboard camera before you could open the door. Once inside, you have push-button start. The new EduCar will feature secure keys and locks, but you still need to show your educational paperwork to get one.

Other models, which require no educational paperwork, are available from a wide variety of manufacturers such as GoDaddy Motors, Network Solutions Motors, Register Motors, etc., will continue to sell their ComCars, OrgCars, NetCars, etc. without keys or locks.

Re:Hm. (5, Funny)

Hijacked Public (999535) | more than 4 years ago | (#29303597)

It would be like if your car's PCV valve required a permissive signal from the EGR valve via CAN-BUS linkage to MPI and DOHC. The ECR module would then TBI the MPG and various other RWHPs. Failing that the EFI unit ATF AC unit BTDC more of the CCs than CUINs. As long as your crank was CCW and you had COPI you would be good to go. Unless the CTVS was broken. In which case both your FWD and 4WD was unusable. You'd need to measure MAP and calibrate the VSS or you'll go WOT, and with NOS then you will likely exceed the allowable RPMs.

DOHV. OD. LED taillights. HO engine. blah blah blah.

I, For One, (2, Funny)

localman57 (1340533) | more than 4 years ago | (#29303489)

Welcome our new .edu domain-name-securing overlords.

Re:I, For One, (1)

MarkRose (820682) | more than 4 years ago | (#29303943)

That was lame. Apparently when it comes to DNS jokes, you're not that .educable.

Re:I, For One, (1)

xaxa (988988) | more than 4 years ago | (#29304393)

th.at w.as la.me. Apparent.ly when .it com.es .to DNS jok.es, you'.re not th.at .educable.

FTFY. You're education wasn't sufficiently international.

(Austria, American Samoa, Montenegro, Libya, Italy, Spain, Tonga, Spain, Reunion, Austria, if anyone's wondering.)

Administratium (3, Insightful)

girlintraining (1395911) | more than 4 years ago | (#29303543)

Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy.

Right. It's the administrative costs that are keeping it from being deployed. Sex.com sold for $14 million. I'd be willing to guess that the namespace of domains worth > $1,000 is totals several hundred million. Right now, the security to protect the aforementioned virtual properties is like a vault with a screen door out the back. It's a source of great internal amusement to me that in the real world our schools have some of the worst physical security, but soon they'll have some of the best digital security.

.bnk? (3, Insightful)

RiotingPacifist (1228016) | more than 4 years ago | (#29303633)

Can't they just use DNSSEC for banks (optionally give a tld for anything financial)

Re:.bnk? (0)

Anonymous Coward | more than 4 years ago | (#29304511)

Hmm... seems like overkill. Maybe the government providing [reigstered bank name].bank.us (or maybe .bank.state.us, whoever registers banks) as part of registering an organization as a legal bank would make sense. (What makes a bank is defined by the government, not ICANN.)

On the other hand, banks already have SSL and EV certs, so DNSSEC adds little additional security.

Re:.bnk? (1)

RiotingPacifist (1228016) | more than 4 years ago | (#29305481)

What makes a bank is defined by the government, not ICANN.

What makes an educational institute is also defined by the government, i fail to see your point.

What makes a bank is defined by the government, not ICANN.

Few people check for EV/SSL, so if you DNS hijack a site many people will fall for it.

Re:.bnk? (1)

QuantumRiff (120817) | more than 4 years ago | (#29306487)

My former employer was not allowed a .EDU address until we passed our final accredidation. the Community College was only a few years old, and operated under the guidance of another college for the first few years. We could have a *.cc.or.us domain name, but not a .edu. When we finally got approved by one of the 7 Department of Education sanctioned accredidaton boards, they wanted a bunch of paperwork to prove we were us, and talked to the accreditation board. For us, it was a truly big deal, it showed that we had made it.. But anyways, back to my point, there are only a few goverment agencies that oversee banks in most countries.. I could see getting issued a *.fin or *.bank or whatever TLD when you got certified by the FDIC, or NCUA, or office of thrift supervision, etc..

Newer RFC (0)

Anonymous Coward | more than 4 years ago | (#29303951)

You should change the DS record link. The RFC 3658 is obsoleted by RFC 4033, 4034 and 4035:
http://tools.ietf.org/html/rfc4033

Translation Requested: (0)

Anonymous Coward | more than 4 years ago | (#29303957)

So what?

Thanks for the meaningless news.

Yours In Minsk,
K.T.

How little people actually care ... (3, Insightful)

BitZtream (692029) | more than 4 years ago | (#29306759)

This is offtopic, but important.

Look at how few people comment on this article, which is a very important step forward for the Internet, yet there are 3 to 4 times more comments on the article about running Linux on a Kindle.

Since Slashdot is basically a representation of the OSS and technical worlds view on things, its very sad that people who are supposed to be intelligent, thoughtful creatures get excited over something as pointless as running Linux on Kindle, but care so little about something that is important to the Internet as a whole.

I realize that most people here are Linux fanboys (and this is one time I'm not saying it to be insulting, I'm a FreeBSD fanboy for instance, its okay as long as you are rational about it) so that means Linux related topics are going to get more coverage here, but ... 3 to 4 times more people care about running Linux on a device like the Kindle than DNSSEC for a TLD ... thats just freaking sad to me :(

Re:How little people actually care ... (1)

discogravy (455376) | more than 4 years ago | (#29308047)

This is a function of how many /. readers are hostmasters/HNIC's for TLD's. The people with a hardcore interest in this have already done it for their domain (or it doesn't matter to them because their tld isn't signed, and so even if they signed it, there would be an ultimate break in the chain). I wouldn't expect a /. story about enterprise-level hardware or software that only fortune 500 companies use to have a lot of comments either; the reader base is small to begin with. Kindle's are dirt cheap in comparison to say, a production oracle environment.

Re:How little people actually care ... (1)

saintlupus (227599) | more than 4 years ago | (#29313195)

Speaking as someone at an .edu, we all saw this news yesterday. There are many other venues besides Slashdot that cater to higher ed IT, and it's being discussed elsewhere.

I wouldn't call the low comment count a sign of disinterest, but rather a sign that there aren't a lot of our peers here so it's not a productive forum for this sort of thing.

--saint

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...