Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dot-Org TLD Signed For DNSSEC

timothy posted more than 4 years ago | from the not-passing-on-costs-is-a-neat-trick dept.

Security 58

graychase writes "A major milestone is reached as the first major top-level domain (.org) is now secured with DNSSEC. The expense to .org for implementing DNSSEC on its infrastructure and operations has not been a small one. While specific figures as to the cost of DNSSEC implementation haven't been released, Afilias, which is the technical operator of the .org registry, told InternetNews.com in 2009 that the DNSSEC implementation would be a multi-million-dollar effort. The cost isn't going to be passed on by .org to domain registrars. The move toward securing the .org registry with DNS security started in September 2008, following the Kaminsky DNS flaw disclosure."

cancel ×

58 comments

Sorry! There are no comments related to the filter you selected.

frosty piss! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32671516)

from my dick to your lips.

Re:frosty piss! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32671560)

From my boot to your mouth, and my sledgehammer to your fingers, you loathsome childish piece of crap.

Re:frosty piss! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32671704)

^ same fag

Re:frosty piss! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32671778)

Oh, you sure told him!!

Re:frosty piss! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32671890)

funniest thing is... "boot" is slang for asshole and "sledgehammer" is slang for a (big) cock. So basically, AC is describing a "rusty trombone" (ie, you receive a rimjob and a handjob at the same time).

Re:frosty piss! (1)

shentino (1139071) | more than 4 years ago | (#32672256)

Eat peppermint oil.

.org first over .com ?? (2, Interesting)

capnchicken (664317) | more than 4 years ago | (#32671568)

Seems odd, too many .com's perhaps?

Re:.org first over .com ?? (4, Informative)

fotbr (855184) | more than 4 years ago | (#32671592)

More likely simply that different companies/organizations are responsible for .org vs .com vs .net vs .whatever, and each of those had different plans (or no plans) and acted on them at various speeds.

Re:.org first over .com ?? (3, Informative)

penguin359 (763783) | more than 4 years ago | (#32672874)

Size does play some part in it. There are a number of smaller two-letter country code TLDs that were signed before .ORG as well as the fact that .GOV also beat .ORG to being signed with .GOV being signed in March of '09 and .ORG being signed since June of '09. I think the big news is that .ORG is now allowing regular domain owners to submit their keys into the .ORG database. VeriSign who runs both .COM and .NET plans to first sign the smaller .NET which is still larger than .ORG. before finally tackling .COM.

Re:.org first over .com ?? (1)

afidel (530433) | more than 4 years ago | (#32671922)

.COM was signed a few months ago.

Re:.org first over .com ?? (1)

afidel (530433) | more than 4 years ago | (#32671934)

Doh, scrap that, it was the root servers that were signed.

Re:.org first over .com ?? (0)

Anonymous Coward | more than 4 years ago | (#32672008)

Correction: The DNS root servers are currently serving intentionally invalid DNSSEC records. They are supposed to get normal signatures July 1, 2010 (so, pretty soon). See: Wikipedia's entry on DNSSEC [wikimedia.org] .

Re:.org first over .com ?? (2, Informative)

penguin359 (763783) | more than 4 years ago | (#32672892)

Actually, they've announced the date to now be July 15, 2010. http://www.root-dnssec.org/ [root-dnssec.org]

There will be a lot more TCP (and IPv6) queries (4, Informative)

Anonymous Coward | more than 4 years ago | (#32671658)

Because of the size of the new DNS Resource Records, notably the RRSIG and DNSKEY RRs, and partly because of the (perhaps temporarily) short TTL of one day, there will be a lot more TCP queries because of the size limit on UDP ones. The .ORG nameservers are also IPv6ified, and there is even less space in UDPv6 queries, so hosts that do not exclusively or preferentially make DNS queries in IPv4 will now make TCPv6 queries. These are likely to be slower than UDPv4 queries before the signing and v6ification, and the UDPv6 queries before the signing.

Scaling is helped by using anycast IP and IPv6 addresses, but the downside is that a routing flap that occurs any time after the first TCP/TCPv6 SYN from a client will cause a client to have to requery because of an RST fired back by the newly-closest anycast nameserver, or wait on a full TCP timeout (and then probably still see the RST) depending on the timing. (The worst case is probably having the final FIN segment being eaten by Shub-Internet or someone trying to do a devious (and probably pretty local in scope) denial-of-service consuming resources on possibly the client and two servers).

In short, this is not a win for performance, and it will be a good idea to use long TTLs in the zone itself (and on 2nd level nameservers) once it appears safe to do so.

Re:There will be a lot more TCP (and IPv6) queries (2, Informative)

Dragoniz3r (992309) | more than 4 years ago | (#32671812)

It was never meant to be a win for performance o.O Of course it's going to be slower. The cryptographic checks alone will make it slower. It's intended to prevent DNS hijacking attacks.

Re:There will be a lot more TCP (and IPv6) queries (1)

abigor (540274) | more than 4 years ago | (#32671966)

I'm sure the gp knows that. Reread his post.

Re:There will be a lot more TCP (and IPv6) queries (1, Funny)

Anonymous Coward | more than 4 years ago | (#32672298)

No shit sherlock. The AC was addressing the performance issue, not the intent. Crack open your MCSE manual again and do some more reading.

Re:There will be a lot more TCP (and IPv6) queries (3, Informative)

iburrell (537197) | more than 4 years ago | (#32672280)

DNSSEC requires EDNS. EDNS allows for UDP packets larger than the original 512-byte limit of DNS over UDP. There could be problems with fragmented packets which are larger than the MTU. Some experiments show that responses with DNSSEC and IPv6 are larger than 512-bytes but smaller than typical MTU of 1500 bytes.

There are some old firewall equipment that mistakenly prohibits DNS packets longer 512 bytes over UDP but those have caused problems for a while.

Re:There will be a lot more TCP (and IPv6) queries (2, Interesting)

penguin359 (763783) | more than 4 years ago | (#32672912)

The DNS extension called EDNS0 allows larger UDP DNS queries so that TCP can be avoided. The size for UDP queries is now at 4096 bytes from the 512 byte limit without EDNS0. A lot of the preparation going into DNSSEC has been testing for resolvers with broken EDNS0 support. I find that the vast majority of my DNS queries with DNSSEC enabled are still successfully sent as UDP with EDNS0 currently.

But is there any working software? (0)

Anonymous Coward | more than 4 years ago | (#32671674)

This is nice and all, but it is my understanding that only Windows 7 supports DNSSEC and only to software that specifically asks. What about XP, and Vista and OS X? Furthermore what browsers support DNSSEC out of the box? The problem with this is that more providers, especially com won't take the cost to roll it out if there is not any software on the client side.

Re:Browsers (3, Informative)

6031769 (829845) | more than 4 years ago | (#32671726)

Browsers? They shouldn't care about DNSSEC either way, all of that should be handled by the local resolver. To be fair I'm presuming here that you mean web browsers as opposed to say DNS browsers.

Re:Browsers (0)

Anonymous Coward | more than 4 years ago | (#32672246)

Browsers? They shouldn't care about DNSSEC either way, all of that should be handled by the local resolver. To be fair I'm presuming here that you mean web browsers as opposed to say DNS browsers.

It would be useful for client software to be able to query whether a look up is authenticated.

RFC 4398 defines DNS resource records (RRs) for storing various types of certificates in DNS records:

        http://tools.ietf.org/html/rfc4398

Instead of having to pay CAs a year fee for certificates, it may becomes possible to have browsers simply fetch the public keys for a web server (or mail server, or SSH host, or S/MIME/PGP certs, or IPsec pub key, or ...) from DNS. In which case the client browser (or mail client, or SMTP server, or ...) would probably want to verify if the returned record has been authenticated by the DNS trust chain.

That may be a little ways off still, but having client software get access to some of the low level DNS isn't as bizarre as it may sound.

Re:Browsers (1)

Fastolfe (1470) | more than 4 years ago | (#32678190)

DNS doesn't validate real-world identity (is ebaypayments.com run by eBay, or some guy that happened to register the domain for his phishing scam?), and it puts DNS (by definition) in the trust path, which may not be desirable if there's a risk that your upstream servers (a government, perhaps) might want to put their own records in your zone. (Yes, they can do that today, but any attempt to redirect e.g. SSL sites will fail unless they also control a SSL certificate authority. Putting your eggs in one basket makes this type of attack much easier.)

Re:Browsers (1)

Hurricane78 (562437) | more than 4 years ago | (#32672418)

Actually his main source of information about the Internet is Ted Stevens, and he meant a herd of cows, browsing the pasture. ;)

Re:Browsers (2, Interesting)

bill_mcgonigle (4333) | more than 4 years ago | (#32672648)

Browsers? They shouldn't care about DNSSEC either way, all of that should be handled by the local resolver. To be fair I'm presuming here that you mean web browsers as opposed to say DNS browsers.

What should the user see if a DNS failure occurs because of a failed signature? "Host not found?" Something like a TLS certificate mismatch dialog?

Re:But is there any working software? (1)

phyrexianshaw.ca (1265320) | more than 4 years ago | (#32671746)

why would a browser need to even be DNSSEC aware? the browser hands it's requests over to the OS to handle lookups, it just want's an IP back to make it's HTTP request?

unless I'm missing something key here?

Re:But is there any working software? (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#32671928)

unless I'm missing something key here?

The user interface. The browser should be able to warn you if you're not getting DNS records via DNSSEC.

Re:But is there any working software? (2, Insightful)

penguin359 (763783) | more than 4 years ago | (#32673032)

It might be nice to know whether the Bank your using is using a signed zone, for example. If they don't, your prone to receiving DNS data that points to a crackers IP address. SSL does not protect against this attack if SSL is not used. Most people don't realize when SSL is in use or not and will gladly log into a site without SSL. SSL can only protect once the end user gets the right IP address of the SSLized Web Server they need to log into for their Bank.

Re:But is there any working software? (1)

penguin359 (763783) | more than 4 years ago | (#32673000)

Your Windows computer still relies on an outside computer for doing the DNS lookup. This recursive DNS server can also validate all DNS data and drop data that fails validation protecting your client Windows computers. Comcast is currently in DNSSEC trials, but Comcast end-users can switch their DNS servers to the test servers and get all their DNS data validated automatically. Once this goes live, all Comcast end-users will get benefits of DNSSEC. Also, anyone can run their own recursive validating DNS servers internally and not rely on their ISP's DNS servers.

As an end-user, is there some way to tell? (3, Interesting)

JSBiff (87824) | more than 4 years ago | (#32671752)

As an end-user, is there some way for me to tell if a domain has been authenticated along the whole chain by DNSSEC? Do any of the web-browsers, for example, include DNSSEC support, to show that a domain has been verified? Or, is DNSSEC only a server-to-server tech, but doesn't extend to end users? If it does extend to the end-user computer, can I use DNSSEC on an un-trusted network, to connect securely to my ISP's DNS Server (or google dns, or OpenDNS, etc), to make sure I'm getting back the correct DNS info (I suppose the 'real' answer for such a situation, at least currently, is a VPN, although some organizations [like where I work] have VPN's that only tunnel traffic to the secured network, and won't tunnel any other traffic, so such a VPN doesn't protect you when visiting any other sites/hosts on the internet).

I think it would be nice, if I don't have access to a real VPN connection, to at least be able to make sure that DNS is secured and trustworthy (although that, of course, doesn't guarantee that there aren't any man-in-the-middle attacks).

Re:As an end-user, is there some way to tell? (4, Informative)

Timothy Brownawell (627747) | more than 4 years ago | (#32671824)

As an end-user, is there some way for me to tell if a domain has been authenticated along the whole chain by DNSSEC?

Yes, that's actually the entire point. Your computer ("stub resolver", the library all your programs use to do DNS queries) can either (1) not care, in which case you're really no safer than with regular DNS; (2) ask your ISPs resolver whether the records were signed, in which case you're slightly safer but not very much; or (3) demand that your ISPs resolver send it all the signatures along with the actual result, in which case you're about as safe as can be (someone would have to break/steal the keys used to sign the records, in order to cause trouble).

What you as the person using the computer see, is of course dependent on the particular programs you use and what they do with the extra information that's available. Probably most don't do anything with it yet. :(

Re:As an end-user, is there some way to tell? (1)

TheRaven64 (641858) | more than 4 years ago | (#32671996)

Unfortunately, there don't yet seem to be standard APIs for the stub resolver to report DNSSEC info. POSIX03 introduced getaddrinfo(), which has some space for extra flags, so you could add a flag indicating that an address was resolved via DNSSEC without breaking binary compatibility, but I don't know that anyone has yet.

Re:As an end-user, is there some way to tell? (2, Informative)

penguin359 (763783) | more than 4 years ago | (#32672604)

OpenBSD has a flag to report DNSSEC status.

Re:As an end-user, is there some way to tell? (1)

Hurricane78 (562437) | more than 4 years ago | (#32672500)

(3) is still not fully correct. You would only be as safe, as you
1. know that the signer is who you think he is, and
2. actually trust the signer.

Since you don’t have the public keys for all the domains on the planet on your hard drive to check the actual correctness, point 1 already falls flat.
And even then, I haven’t met them, I did no learn to know them, so I don’t trust them any more than any other crook who could highjack it, anyway. ^^

Re:As an end-user, is there some way to tell? (2, Informative)

penguin359 (763783) | more than 4 years ago | (#32672966)

To help with this situation, there are a number of Trust Anchor Repositories (TAR) that do a certain amount of testing on the trust anchors to verify they are correct. I use ISC's DLV repository on my home servers, but there is also SecSpider that has a large database of keys as well. They run multiple resolvers around the planet that regularly pull for DNS keys and verify that they are consistent across all servers. It's less secure than trust provided by the parent, but still extremely difficult for crackers and in the absence of a signed parent, a decent alternative, IMHO.

Re:As an end-user, is there some way to tell? (1)

Tacvek (948259) | more than 4 years ago | (#32673054)

The signer is who you think he is. The signed root zone lets you know that the root zone has not been tampered with. If you don't trust the IANA, you might as well stop using the internet entirely, since the IANA decides what the root servers serve up. The root zone contains the public keys for the "org." domain. Only Afilias, who maintains the "org." domain can request the key for .org in the root zone to be changed. Thus if the root zone signature is good, we know that the key in it for "org." belongs to the maintainer of "org." so you should trust it (as if the maintainer of "org." was maliacious you are screwed anyway. By the same set of concepts you know that they key for a second level domain belongs to the owner of the second level domain, and if you don't trust them, then you just should not be visiting their site.

so if all the signatures are valid, you know there is no hijacking, and the records returned are those specified by the owner of the domain.

Re:As an end-user, is there some way to tell? (2, Informative)

penguin359 (763783) | more than 4 years ago | (#32672944)

Actually, any validating resolver should drop DNS data that failed to validate. Most DNS data is currently unsigned which means that is can't be validated. That does not mean it failed to validate, just that it the data is not secure. A stub resolver can notify it's calling process whether the data is secure or not, but data that should be secure and failed to validate will never be passed to the process.

Re:As an end-user, is there some way to tell? (1)

Znork (31774) | more than 4 years ago | (#32675056)

someone would have to break/steal the keys used to sign the records, in order to cause trouble

Or lean on the registrar. It's going to be a bit interesting to see how this will affect the DNS based government filters that are implemented on ISP level in a lot of countries.

Re:As an end-user, is there some way to tell? (1)

MoreDruid (584251) | more than 4 years ago | (#32676050)

Firefox should already be compliant (from what I've heard). It will pop up a warning if the known cert is different from a new one (if someone hijacked the domain). The key of course is: how do you guarantee that the original key is correct? by sending it through other means (USB key, mail etc.) and have the user install the cert manually.

Re:As an end-user, is there some way to tell? (3, Interesting)

cybaz (538103) | more than 4 years ago | (#32672254)

There is a Firefox plugin that will give a key icon if the domain is signed with DNSSEC https://addons.mozilla.org/en-US/firefox/addon/64247/ [mozilla.org]

Re:As an end-user, is there some way to tell? (1)

penguin359 (763783) | more than 4 years ago | (#32672986)

It is possibly to run a validating resolver on your own laptop which validates DNS data regardless of where you are connected to the Internet. You can be using any free Wi-Fi hotspot of your choosing and still be assured that the secured DNS data is accurate. Granted, this is only for zones to which you have valid trust. An unsigned zone, as most are currently, can still be spoofed.

Re:As an end-user, is there some way to tell? (2, Informative)

jroysdon (201893) | more than 4 years ago | (#32674374)

FYI, OpenDNS does not and will not support DNSSEC. DNSSEC breaks their model of typo-squatting, and filtering in general.

Re:As an end-user, is there some way to tell? (1)

jroysdon (201893) | more than 4 years ago | (#32674546)

There is a Firefox add-on, DNSSEC Validator [mozilla.org] , which appears to work for the pir.org [pir.org] zone, as well as my own roysdon.net [roysdon.net] zone. Both are DNSSEC signed, although my roysdon.net is found in the DLV.

You can point the tool to use Comcast's DNSSEC trial resolver which is DLV-enabled at 68.87.68.170.
You can trial Comcast's DNSSEC trial resolved which does not have DLV support at 68.87.64.154 and rely only on the Root signature and previously published ccTLDs like .SE.

pir.org is an example of a zone which you can verify just by having the root zone's key. The root signs .ORG, and .ORG has signed pir.org.
As opposed to DLV-enabled zones, like mine, which rely on dlv.isc.org [isc.org] until .NET is signed. Well, also until Registrars add a way so that .ORG owners can sign their zones.

Old News, .ORG signed over a year ago (1, Informative)

Anonymous Coward | more than 4 years ago | (#32671942)

https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/003940.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colleagues,

On behalf of PIR Technical Support I would like to announce that as of
today, 2009-06-02, at 16:00 UTC .ORG is DNSSEC signed.

The following KSK is now valid for .ORG

org. IN DNSKEY 257 3 7 (
                                AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo
                                dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm
                                GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A
                                bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t
                                XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m
                                x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj
                                CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj
                                DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU=
                                ) ; key id = 21366

Please note that due to the use of NSEC3 this key should not be used
with BIND versions less than 9.6.0.

Please refer to http://www.pir.org/dnssec/ for more information.

As always, please report operational concerns with any Afilias-hosted
zone to

dave

- --
Dave Knight
Director, Resolution Services
Afilias

PIR Technical Support
URL: http://www.pir.org
E-mail: techsupport at pir.org
Phone: +1.416.646.3308
Fax: +1.416.646.3305
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkolicgACgkQVFeEx/p946ZMtgCfVzu5IWcE36CYtlb7EBwAgSRx
AeoAoM6Wfxgi+Q5VR4ws6qDma5uzCLPr
=CrQm
-----END PGP SIGNATURE-----

Do I need to do anything? (3, Informative)

i_ate_god (899684) | more than 4 years ago | (#32672024)

I have a .org domain hosted on my server. Is there something I need to do?

Re:Do I need to do anything? (4, Informative)

Timothy Brownawell (627747) | more than 4 years ago | (#32672116)

If you don't care whether the records for your domain(s) are secure, then no.

If you do want to take advantage of the new functionality, then you need to serve some extra records and give some extra data to your registrar (I think it's just the public half of your key). I imagine the exact steps to do this would vary based on who your registrar is and which DNS server you're running.

Re:Do I need to do anything? (1)

Rijnzael (1294596) | more than 4 years ago | (#32672640)

Providing the signature would probably be helpful too ;)

Re:Do I need to do anything? (1)

jroysdon (201893) | more than 4 years ago | (#32675242)

First, see if your current domain Registrar is one of 13 .ORG Registrars that are supporting DNSSEC right now:
http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc [pir.org] .

If your .ORG domain Registrar is not listed as providing DNSSEC support, transfer your domain to GoDaddy or one of the other 12 .ORG Registrars with DNSSEC support.

Then generate your keys, sign your zone, and provide your Registrar your DS key. Anyone using a DNS server with DNSSEC enabled and ITAR keys will have the .ORG key and follow the chain to your domain. Anyone using a number of DLVs will also find the .ORG key.

Full support will work once the Root zone is signed, and then the ITAR will no longer be needed, and the DLVs will not be needed at all as more TLDs become signed.

If you're totally green to DNSSEC and didn't get the alphabet soup, you'll need to do some reading [wikipedia.org] .

GoDaddy's Help on this (0)

Anonymous Coward | more than 4 years ago | (#32679590)

http://help.godaddy.com/article/6113?

Slashdot (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32672708)

When will slashdot.org be signed?

Re:Slashdot (1)

jroysdon (201893) | more than 4 years ago | (#32674254)

No, nor while it have ipv6 records. Why would they really care about tech? The real motive is profit. No profit in slowing down dns queries with DNSSEC or potential problems right now with broken ipv6 transit or clients.

Re:Slashdot (0)

Anonymous Coward | more than 4 years ago | (#32677752)

Its why they have been holding out on SSL.

Or not.

Re:Slashdot (1)

Abcd1234 (188840) | more than 4 years ago | (#32678274)

Dude, they don't even have basic IPv6 deployed... Slashdot, for all it's "News for Nerds" BS is amazingly conservative when it comes to technology.

.org was signed over a year ago (3, Informative)

Anonymous Coward | more than 4 years ago | (#32672718)

Here's the announcement on the OARC DNS-Operations list
https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/003940.html

What has happened this week is that .org domain holders who have signed their domain may now submit their DS record via their registrar for inclusion in the .org zone, assuming that their particular registrar supports that.

Up until now only a handful of signed .org domains have had their DS records included in the zone and this was done manually at the registry in order to facilitate testing before opening this up to registrars.

yuo Fai7 It. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32672882)

or a public club, Words, don't get a prEviously as little overhead see. The number

Failzo8s (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32672964)

not going to plAy OS. VNow BSDI is

Explain WHY it costs several million dollars ... (1)

BitZtream (692029) | more than 4 years ago | (#32680568)

Seriously ... how does it end up costing multiple millions of dollars to accomplish such a trivial change?

You mean they spent 50k on the developers to update their systems and the rest on 'testing' right?

Seriously, theres nothing to this upgrade other than changes to the management systems from there end.

W T F?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>