×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DNSSEC Comes To .Net Zone Today

kdawson posted more than 3 years ago | from the if-it-were-easy-we'd-be-done-already dept.

Networking 62

wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

62 comments

Typos (0)

Mysterios (160701) | more than 3 years ago | (#34513916)

Am I just spending too much time on /. or have there been a lot of typos in stories recently?

Re:Typos (3, Funny)

oodaloop (1229816) | more than 3 years ago | (#34514066)

As opposed to what? The good ol' days when editors read the articles and proof-read submissions? When men were real men, and small furry creatures, etc etc.

Re:Typos (2)

Abstrackt (609015) | more than 3 years ago | (#34515014)

As opposed to what? The good ol' days when editors read the articles and proof-read submissions? When men were real men, and small furry creatures, etc etc.

Ah, the good ol' days... when the men were men, the women were men, and the girls were FBI agents.

Re:Typos (0)

Anonymous Coward | more than 3 years ago | (#34516878)

As opposed to what? The good ol' days when editors read the articles and proof-read submissions? When men were real men, and small furry creatures, etc etc.

Ah, the good ol' days... when the men were men, the women were men, and the girls were FBI agents.

...and all internet users were above average.

More security in what way? (0, Troll)

girlintraining (1395911) | more than 3 years ago | (#34513928)

It may be more secure for business, but it's less secure now for private individuals and the politically-active. Also, it's not more secure for websites not based in the United States, as those keys are already in government possession. This is just another way for the United States to exert control over an international resource for its own gain. And we're giving up that decentralized and free nature of the internet because of hackers/terrorists/boogiemen? Sad day.

Re:More security in what way? (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34513992)

The USA is your boogieman.

but hey, it's popular to hate them, lets go for it! They are magically worse than everyone else (many of whom do exactly the same, some are better, some are worse) because they have power and you aren't with them.

Grow up. They'll drop down a few pegs in the next 10-20 years, and the EU, China or both will become a more formidable power. Don't worry. I hope you are in one and can enjoy the other side of the idiocy you are propagating.

Re:More security in what way? (3, Informative)

icebraining (1313345) | more than 3 years ago | (#34514146)

Damn, you're dumb. He's calling for a decentralized system, which doesn't rely on any government, including the EU and China.

Re:More security in what way? (1, Interesting)

xMrFishx (1956084) | more than 3 years ago | (#34514046)

We'll all have to move to non US domains. Like .tr which stands for TERROR. Obviously. Oh wait. ICANN. No such thing as non US controlled. I wouldn't mind EUCANN (you can) existing. But no doubt the powers that be (read: powers that do because they cann) would have too much sway. I cringe each time the word hacktivists is used on the news.

Re:More security in what way? (5, Insightful)

Spy der Mann (805235) | more than 3 years ago | (#34514082)

I was thinking more or less the same thing.

The point is that a good domain name system implementation needs to be secure against protocol attacks. DNSSEC secures it against hackers, but makes it more vulnerable to political attacks. Because DNS was designed to be centralized.

The problem with currently emerging alternatives is that they're designed to be decentralized, making them vulnerable to protocol attacks. However, a good p2p implementation would use an underlying hierarchy based on the anonymity of the name authorities, and they would be able to establish further authority points. But that protocol isn't even invented yet as far as I recall, and it would require a hell lot of thought and encryption.

In any case, more cryptographic security is better, not worse. If you want someone to blame, it's the inventors of DNS for establishing a US-based name authority. Oh wait, the Internet was invented in the US, by none other than the DARPA. Go figure.

Re:More security in what way? (4, Informative)

plcurechax (247883) | more than 3 years ago | (#34514506)

I was thinking more or less the same thing.

The point is that a good domain name system implementation needs to be secure against protocol attacks. DNSSEC secures it against hackers, but makes it more vulnerable to political attacks.

You do know that DNS root servers [root-servers.org] are located (and co-located) around the world (20+ countries I believe off the top of my head), and they are all equal. The only US-centric part is that the designated maintainers (ICANN [icann.org] and IANA [iana.org]) are US based organizations, in large part due to historically originating in the US, and this does have the benefit being one of the best legal protection for free-speech in the world.

If you want an alternate system [wikipedia.org], edit your DNS root hints [internic.net] file.

Join the Internet Society [isoc.org], ICANN [icann.org], and your national domain registrar [icann.org] if you want to make difference.

So? (2)

pavon (30274) | more than 3 years ago | (#34518122)

And yet when the US government asked VeriSign to revoke domain names, all the root servers mirrored that decision. Just because DNS is distributed doesn't make it the least bit decentralized.

Re:So? (0)

Anonymous Coward | more than 3 years ago | (#34518746)

And yet when the US government asked VeriSign to revoke domain names, all the root servers mirrored that decision. Just because DNS is distributed doesn't make it the least bit decentralized.

The US government (and ICANN and VeriSign) could do fuck all if you were running a .ca (or .uk or .fr or...) domain. You'd have to go to CIRA (for .ca records) and ask them to change the NS records to point to new DNS servers(s), which is beyond the scope of the US government since CIRA is in Ottawa, Ontario, Canada.

VeriSign controls .com and .net, and so they could change the delegation records for either of two TLDs without touching the root. Similarly for records in cc, tv, and name. The root servers had nothing to do with this.

If you don't want the US government to dictate what a US company can do to your DNS records, don't host your site with a US-based domain. There are plenty of other TLDs out there.

Re:More security in what way? (1)

rs79 (71822) | more than 3 years ago | (#34521748)

"Join the Internet Society, ICANN, and your national domain registrar if you want to make difference."

Oh please. It was the ISOC that helped hand the domain name system to the government. In 1997 Bob Shaw, ITU, Albert Tramposch WIPO and Don Heath ISOC met at an OECD meeting. They cooked up a plan that became IAHC then ICANN. The alternative was an industry consortium that would operate the DNS the way the Internet itself operates - free of a US government regualatory authority.

It was Steve Wolff that liberated the Internet itself from DARPA. He told me he didn't move the DNS because he just plain forgot, not thinking it was important.

ISOC has a vested interest in the ICANN/domain ecosystem. The IETF insists ICANN is the root authority, ICANN delegated .ORG to PIR, operated by ISOC, the ISOC funds the IETF.

This is what you call "a loop".

Free speech vs. DNS (1)

jonaskoelker (922170) | more than 3 years ago | (#34627568)

this does have the benefit being one of the best legal protection for free-speech in the world [i.e. in the US].

Q: what do you get if you register free-speech.us at a DNS provider?

A: a free-speech zone.

Re:More security in what way? (1)

Anonymous Coward | more than 3 years ago | (#34514770)

Oh wait, the internet was invented in the US, by none other than the DARPA. Go figure

That couldn't be any more wrong.

What DARPA invented was what people commonly mistake the Internet for, or more what they WANT it to be.
The internet is the opposite of what DARPA created, in other words, locked down, centralised and EASILY knocked out by nuclear war.
Hell, it is easily knocked out by a country you piss off simply by them nullrouting everything and letting the mostly neutral BGP do the rest of the work. (well, this is less of a problem these days because there are smarter filters that communicate with each other to compare results, but it could still be taken down with a smart request done in the right way)

DARPA merely created the base framework for what eventually (d)evolved to The Internet.
ARPANET is what a lot of people are striving to bring back in some sense on the current internet. P2P DNS* being a recent huge thing due to Verisign pissing a lot of people off by happily letting US government in their pants and pushing all sorts of switches.

I remember reading on here the other day there about an idea of shaking up the control system and making it a true democratic internet.
Each major region gets a representative (or a few), they all take votes on actions to do, just like other groups such as UN.
I think it would be a really nice thing to see happen. Then other regions can finally be heard instead of shafted, with crippling hardware, software and blackholes all over the place.
As for China... not sure what they would do. I think they would probably have people there just to listen in and nothing more really. They don't particularly care about the internet outside, besides as an intelligence gatherer...

* And while a lot of people seem to be unsure of how safe this would be, or how to deal with attacks, a Web Of Trust could be created.

Re:More security in what way? (1)

hedwards (940851) | more than 3 years ago | (#34515536)

Each major region gets a representative (or a few), they all take votes on actions to do, just like other groups such as UN.

There's your problem. As bad as the US has been in recent years, it's no where near as bad as a grouping would be. Sure it would give the EU more of a say, but it would also give China a bigger say as well, and probably other governments known for far more abusive practices with regards to the internet.

Re:More security in what way? (1)

nhat11 (1608159) | more than 3 years ago | (#34518394)

Eh no thats not completely wrong. It was still the internet but wasn't for public use. Mainly for technical and educational purposes.

Re:More security in what way? (1)

baerm (163918) | more than 3 years ago | (#34515630)

DNSSEC secures it against hackers, but makes it more
vulnerable to political attacks. Because DNS was designed to be
centralized.

I don't understand. DNS is centralized and is somewhat vulnerable
to political attacks. But how does DNSSEC make it more vulnerable?
(It seems no different to me).

Re:More security in what way? (1)

Desert Raven (52125) | more than 3 years ago | (#34517510)

But how does DNSSEC make it more vulnerable?
(It seems no different to me).

It doesn't. But it makes a nice straw-man, doesn't it?

For someone with control of the root, DNSSEC makes things only slightly more difficult, but definitely does not make it easier.

Re:More security in what way? (4, Informative)

Desert Raven (52125) | more than 3 years ago | (#34514246)

You really don't know what DNSSEC is, do you?

What DNSSEC does: DNSSEC provides a means for an end-user to determine the authenticity of the DNS data they receive by proving that only someone in control of the domain could have served the record.

What DNSSEC does not do: DNSSEC does not provide for the security of data being exchanged between systems.

With DNSSEC, each domain admin holds their own private keys. Nobody else should ever see them. Chain of authenticity is provided by each parent domain signing the delegation records provided by the child domain.

So, for the "government" to "exert control" over your domain, they would have to completely spoof every parent of your domain. This would affect not just your domain, but all domains in that TLD. Pretty sure if everyone in .com all broke at the same time, someone would notice. In short, this makes it harder for someone to take control of your DNS. If the "government" wanted it to be easier, they never would have allowed the root to be signed.

And let's face it, DNSSEC was not designed for you. DNSSEC is designed for businesses, banks and other large entities who are trying to protect their customers from being spoofed. It is just another tool like SSL. And, IMO, anyone who uses SSL certs should use DNSSEC. If you don't use SSL, it's highly unlikely you need DNSSEC.

But hey, if all you want to do is spew ridiculous conspiracy theories, never mind, rant on.

When can we have DNSSEC-derived TLS certs? (0)

Anonymous Coward | more than 3 years ago | (#34514714)

Cool, does it really have a proper delegation chain through the name hierarchy?

If so, how long until we can get automatically-generated, free server certificates based on this? There shouldn't be a need for any fees to validate this delegation chain, if it's been designed correctly to allow every client to validate the chain.

It's always been a complete sham that you have to pay some random CA to assert an FQDN to CN/public key binding, when it ought to be a trivial function of the existing DNS system that knows who controls each FQDN. Even worse, trusting a CA means trusting them to make assertions about any part of the FQDN space, no matter how little actual authority the CA has over that namespace.

Re:When can we have DNSSEC-derived TLS certs? (1)

Desert Raven (52125) | more than 3 years ago | (#34517474)

This is definitely theoretically possible. However, you're going to have to convince the major application developers to play along.

Though to be fair, it would only be the equivalent of the cheaper certs that only verify domain control for authority when issuing certs. The higher-level certs truly do involve a third-party verification of identity of the cert recipient.

Re:When can we have DNSSEC-derived TLS certs? (1)

Ungrounded Lightning (62228) | more than 3 years ago | (#34520626)

Though to be fair, it would only be the equivalent of the cheaper certs that only verify domain control for authority when issuing certs. The higher-level certs truly do involve a third-party verification of identity of the cert recipient.

Seems to me that would be adequate for most purposes. The main thing the cert mechanism catches is a man-in-the-middle forging a response from a machine within a domain, while it's the user's job to go to the correct domain in the first place. If the servers and the company's DNS records are under control of the same IT operation, and the remote user has accessed the correct domain, why shouldn't the company's IT operation self sign and publish their signatures through DNS, rather than paying somebody else to construct certificates for their internal machines?

Meanwhile, the fact that the higher-level certs verify things beyond the scope of DNS administration - such as that a given cert really IS held by the Seventh Bank of Whatsistan - means the cert authorities wouldn't lose their whole market. For starters, they could sell higher-level certs for DNS. B-)

Re:More security in what way? (1)

Timothy Brownawell (627747) | more than 3 years ago | (#34514928)

Chain of authenticity is provided by each parent domain signing the delegation records provided by the child domain.

So, for the "government" to "exert control" over your domain, they would have to completely spoof every parent of your domain. This would affect not just your domain, but all domains in that TLD. Pretty sure if everyone in .com all broke at the same time, someone would notice.

Or they could pressure the parent domain into signing their own bogus delegation records, the same way they currently can pressure them into serving bogus delegation records (such as customs seizing all those trademark-and-copyright-infringing domains a few days ago). This relies entirely on each parent domain being trustworthy about what they sign, which is a bit difficult if you don't trust the government that they're subject to.

Re:More security in what way? (0)

Anonymous Coward | more than 3 years ago | (#34515470)

Yes, but as you pointed out, this is something that could equally easily be done before or after and actually, for the truely paranoid, it would still be possible to check the exact signature to see if it had changed from the site's true private cert. It would also be possible to use IP directly. Overall this gains a lot without giving anything up.

Re:More security in what way? (1)

Desert Raven (52125) | more than 3 years ago | (#34517436)

Sure, they could pressure the parent to supply bogus records. On the other hand, they always could have pressured them to change the NS records, which they would also have to do if they published bogus DS records.

So at absolute worst, no security was gained from the "government". It cannot be made worse, because any theoretical compromise by the governing agency was already possible, and much easier before.

Re:More security in what way? (0)

Anonymous Coward | more than 3 years ago | (#34515018)

So, for the "government" to "exert control" over your domain, they would have to completely spoof every parent of your domain. This would affect not just your domain, but all domains in that TLD. Pretty sure if everyone in .com all broke at the same time, someone would notice. In short, this makes it harder for someone to take control of your DNS. If the "government" wanted it to be easier, they never would have allowed the root to be signed.

Not quite true.

Say you run www.example.com. Now you have all the private keys to example.com and publish the public keys, and someone asks for www. You look up the A record and sign it with the private key, and the DNS client verifies it with the public key. The client also verifies the public key of example.com because it is signed by the owners of .com. The .com key is then verified by the root DNS servers (".").

So "." verifies .com, and .com verifies example.com, and example.com verifies www.example.com. The entire chain is needed for a DNSSEC response to be considered valid.

What can happen is that the government could tell .com to point the (NS) records for example.com to some place else, and then verify the public new ("bogus") keys. So when a client does the .->com->example->www verification it passes, because new keys were put in place regardless of the "real" owner's wishes.

Similar things could be done with any TLD: org, ca, uk, net, fr, mil, etc. DNSSEC assumes that the transition from one domain component to another (com->example, ca->example) can be trusted.

If you can't trust the people running the TLDs all bets are off for anything else down the chain.

Re:More security in what way? (1)

hedwards (940851) | more than 3 years ago | (#34515550)

They could do that, but under the system, crackers could also just poison the cache or redirect DNS traffic to a rogue DNS server. As bad as the US government has been lately with regards to interfering with the internet, they're far better than having nobody in charge at all, or leaving things open to random crackery.

Re:More security in what way? (1)

marka63 (1237718) | more than 3 years ago | (#34521924)

And the answers from such a server would not be accepted. DNSSEC does not prevent DoS attacks and actually make some DoS attacks easier. What it does do, when properly implemented, is prevent applications seeing false data.

The only data not covered by signatures is referrals and compromised referrals don't lead to false data being returned to the application. It will be rejected at the validation stage.

Re:More security in what way? (1)

rs79 (71822) | more than 3 years ago | (#34521766)

"Nobody else should ever see them."

*Should* being the operative word.

The other problem with DNSSEC is, once you sign your domain the government can assign the domain to somebody else via UDRP, but without your key signing, it aint gonna work. The trade mark guys are gonna freak out when they figure this out.

Re:More security in what way? (2)

PseudonymousBraveguy (1857734) | more than 3 years ago | (#34514480)

DNS has allways been more or less centralized, and was allways controlled by the US. The US can already disable domains as they please, DNSSEC or not. The only difference with DNSSEC is, that it now impossible to change DNS data without having access to the keys. This makes DNS more secure for everyone, including private individuals.

This is WHY I use a custom HOSTS file... apk (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34514626)

"It may be more secure for business, but it's less secure now for private individuals and the politically-active." - by girlintraining (1395911) on Friday December 10, @09:48AM (#34513928)

Per my subject-line above: This is part of the "WHY" I do "hardcodes" of 250 of my fav. sites into my custom HOSTS file (912,000 unique entries, mostly for blocking out KNOWN sites/servers/domain-host names that are known to serve up exploits)

However, for the case of speeding yourself up - some of my custom HOSTS files entries are for avoiding DNS request logs, and to be able to reach said fav. sites of mine F A S T E R (by not doing the roundtrip resolution for IP Address - to - Host/Domain names, since HDD access alone (7-10ms access, vs. 30ms or more to DNS servers roundtrip) is faster!

Especially once my HOSTS is cached, it then even goes FASTER (after the 1st request to it gets cached into RAM via caches).

Plus, I get there, & even IF the DNS server is redirect-poisoned, or is down even!

Then, the custom HOSTS file is read F A S T (after changes to it in %WinDir%\system32\drivers\etc, it's marked/flagged as "dirty", & reloads)

Then, it's cached into RAM!

That's either by the DNS ClientCache service in Windows (junk, it's limited in size & uses a queue/structure - you must turn this off saving both RAM &/or CPU cycles used for its operation, with relatively "largish" HOSTS files) OR then, its cached via the local kernel mode diskcaching subsystem (works on HOSTS files of ANY SIZE), it's operating @ the SPEED OF RAM!)

APK

P.S.=> Don't get me wrong though: I do think that DNSSEC is overall, a GOOD thing... even if only for businesses &/or the gov't. as you feel "git"

As far as DNS servers though? I cannot put the "entire internet" into my HOSTS file w/ the IP Address - to - Domain/Hosts name equation in for "every site there is under the sun", so I use OpenDNS or ScrubIT DNS (there's also GOOGLE's DNS & even AMAZON DNS now as alternatives also) for that...

Why?

Well, when Mr. Dan Kaminsky found the "kaminsky flaw" in DNS servers for a form of redirect poisoning, OpenDNS was the FIRST TO PATCH no less!

(I.E.-> The "general mechanics" of which work like so - You "bum rush" a DNS server that someone you wish to attack & that you have "lured" to a certain site via a URL for example for them to click on? You, as the attacker, flood said DNS server with tons of false 50's series ports updates to it, & you have them)

The problem w/ unpatched DNS vs. this (especially if the DNS server's are in recursive mode)?

They take the FIRST REPLY THEY SEE & DON'T VERIFY IT! This makes redirection poisoning a second's notice (& Mr. Kaminsky demonstrated it, seconds of work only...)

Other forms of redirect exist also (std. DNS poisoning) or what the Chinese are doing with DNS too:

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

or

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

When THAT occurred in the latter? I was going to the site ALL WEEK LONG even when the update propogations were lagging to subordinate DNS servers... & simply because of the hardcodes in my HOSTS file.

I stay safe(r) from it, & faster too... Especially regarding my 250 fav. sites hardcoded into my HOSTS file here...(Which I update via a pinger built into my own HOSTS mgt. program here, & double-verify with WHOIS queries also).

Those entries of my fav. sites (like /. ), are "hardcoded" into my custom HOSTS file for that purpose - more speed, & more security (& I get to my fav. sites, w/out wasting roundtrip time to DNS servers, which MAY be poisoned via various means (or again, downed) - I also block out KNOWN bad sites/servers/hosts-domains names for even more security, & I get my sources for that, from this list here below:

REGULARLY UPDATED HOSTS FILES SITES (reputable/reliable sources):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
http://hosts-file.net/?s=Download [hosts-file.net]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

& even /. articles related to security too (when the source article is detailed, it shows you the botnet C&C servers used, nameservers, & more)... & even when adbanners bear malicious code too, I am protected:

---

MICROSOFT APOLOGIZES FOR SERVING MALWARE:

http://www.google.com/search?hl=en&source=hp&q=%22Microsoft+apologizes+for+serving+malware%22&btnG=Google+Search [google.com]

(Happens to the best of them... even in AD BANNERS!)

---

I block out ALL adbanners, because it's MY MONEY PAYING FOR MY ONLINE TIME & if ISP/BSP's start implementing a "use as you go" & pay by volume (how much you use in bandwidth) & there are talks of it going on now -> I will be getting MORE FOR MY HARD-EARNED CA$H too, because I won't be pulling in adbanner data AND PROCESSING IT (javascript malicious code bearing ones especially)... apk

Re:This is WHY I use a custom HOSTS file... apk (-1)

Anonymous Coward | more than 3 years ago | (#34515426)

CALLING TOMHUDSON!

DAMN! Where's a bat signal when you need one?

"The LORD OF HOSTS" whipped tomhudson before (0)

Anonymous Coward | more than 3 years ago | (#34528770)

TomHudson goes DOWN too easily, especially on HOSTS file data, vs. myself... everytime:

http://tech.slashdot.org/comments.pl?sid=1699526&cid=32716428

There in that URL?

Your "hero" tomhudson, ran, & refused to answer questions put to he many times, and in the end? All tomhudson had was effete name-tossing &/or adhominem attack attempts, vs. the facts I use in favor of HOSTS files...

(LMAO - it ALL there, in "black & white" too, no denying it!)

So, please - DO go ahead, & do call on "your hero" tomhudson, please!

As I'll trash him just as easily here this time, and then some, as I did before numerous times on this topic of HOSTS files (& others).

APK

P.S.=> You trolls, you just DON'T GET IT, do you? I'll burn you with facts, everytime, vs. your adhominem attacks & "fantasyland" misleading b.s. you try to feed others here & elsewhere online, especially in regards to HOSTS files!

"Nobody touches, my hurricane... (Nobody DARES to even try!)... You try to catch me, but you-just-can't-catch-a-hurricane!" - THE RODS

As to that tune, & what it says & how it pertains to that link above + our discussion on HOSTS files (where I completely BLEW tomhudson AWAY, on HOSTS files)?

See THE RODS' video here ->

http://www.youtube.com/watch?v=apOdWOK5Rh8&feature=related

It explains it all as to what happened at the 1st URL above I posted now here where tomhudson tried to take me on with his pals, and lost badly!

That video & the quotes I used from it, say it all, & FAR better than I can say it myself... apk

Re:"The LORD OF HOSTS" whipped tomhudson before (0)

Anonymous Coward | more than 3 years ago | (#34536360)

Nah, you just burn yourself with bullshit. You have no facts. They're all lies. And you're full of it.

TomPudson never showed up though, LMAO! (0)

Anonymous Coward | more than 3 years ago | (#34542038)

"Nah, you just burn yourself with bullshit. You have no facts. They're all lies. And you're full of it." - by Anonymous Coward on Monday December 13, @01:21PM (#34536360)

Funny, see my subject-line above... LMAO!

APK

P.S.=> As for TomPudson running like he did before vs. my points on HOSTS files he could not disprove? See my last post:

http://tech.slashdot.org/comments.pl?sid=1905218&cid=34528770

The URL's are there and so is he, lol, RUNNING! apk

Funny: This was modded up +1, & now? (0)

Anonymous Coward | more than 3 years ago | (#34522662)

-1 Troll? Please - Is this malware makers, disgruntled webmasters, or advertisers doing this?? They're the ONLY ones that might even think about modding down a post where I show others the benefits of HOSTS files usage.

After all, I can make that assumption above, because it's only a simple matter of using that old adage of "follow the money"...

Mr. Bruce Perens can say how it is, better than I can, when it comes to "big money online" & what they'll TRY to do, to keep that money coming &/or their "rep" clean:

"I have been offered the online-perception-management services I'm talking about while managing at HP and Sourcelabs. If you are not aware of companys concern for their online perception and what they do about it, and won't take my word for it, there isn't much point in arguing about it with you." - by Bruce Perens (3872)
        on Friday July 30, @09:27PM (#33092398) Homepage Journal

FROM -> http://linux.slashdot.org/comments.pl?sid=1738364&cid=33092398 [slashdot.org]

and

"It just takes one Ubuntu sympathizer or PR flack to minus-moderate any comment. Unfortunately, once PR agencies and so on started paying people to moderate online communities, and to have hundreds of accounts each, things changed." - by Bruce Perens (3872) on Friday July 30, @03:55PM (#33089192) Homepage Journal

FROM -> http://linux.slashdot.org/comments.pl?sid=1738364&cid=33089192 [slashdot.org]

APK

P.S.=> See my subject-line above, and the content from Mr. Bruce Perens... Does whoever is downmodding me, from a formerly "up modded" post even begin to *THINK* they're fooling anyone here? apk

Re:More security in what way? (0)

Anonymous Coward | more than 3 years ago | (#34516226)

You mean the International Resource that the U.S. created and gave to the world? How dare they!

Has been sued almost immediately. (4, Funny)

140Mandak262Jamuna (970587) | more than 3 years ago | (#34514078)

Looks like the lawyers of Microsoft were anticipating this move and were itching for a fight. They have sued the entire internet for infringing on their trademark .Net

worldwideds (-1)

Anonymous Coward | more than 3 years ago | (#34514116)

Fucking idiot. Learn to spell. "worldwideds" ?

Certificates in DNS. (4, Interesting)

Timmmm (636430) | more than 3 years ago | (#34514172)

Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.

Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.

Re:Certificates in DNS. (1)

icebraining (1313345) | more than 3 years ago | (#34514302)

RFC4398 [ietf.org] defines a CERT record to store certificates, but I have no idea if it's supported by current DNS resolvers (I doubt it is).

Re:Certificates in DNS. (1)

marka63 (1237718) | more than 3 years ago | (#34521942)

It was supported by the very oldest resolvers. A good resolver library handles unknown record types and passes them back to the application to handle as a opaque blob. res_query() from BIND 4.8 can retrieve CERT records for the application. Just ask it to retrieve type 37 for you.

Re:Certificates in DNS. (3, Informative)

amorsen (7485) | more than 3 years ago | (#34514630)

DNS is just a database. You can store anything you want in it. If you're storing something you want lots of people to care about, it's best to get a dedicated record type for it, but if you just want to play around you can use TXT records. There is a record type for certificates.

So yes, you can do

www.example.com IN TXT "this server should only be contacted by HTTPS. Do not gopher!"

but web browsers are not likely to ask for that record. Feel free to develop a browser which does or ask the browser developers to include this feature.

Re:Certificates in DNS. (2, Interesting)

Anonymous Coward | more than 3 years ago | (#34515146)

Does DNSSEC allow storing SSL certificates in the DNS records? It would seem that this is an awesome way of getting free SSL certificates.

Also, I doubt anyone bothered with this, but does DNSSEC have any way of saying "this domain should only be contacted with SSL"? That would prevent SSL stripping MitM attacks.

There are CERT records that can have X.509 (SSL/TLS) certificates:

http://tools.ietf.org/html/rfc4398

Just like a browser can do a look up for the A record of a web site, it could also look up the CERT record if it was so inclined.

With DNSSEC it is now possible to check the veracity of the CERT RR to prevent man-in-the-middle accounts. DNSSEC could be used as a substitute for certificate authorities.

Re:Certificates in DNS. (2)

rduke15 (721841) | more than 3 years ago | (#34518690)

With DNSSEC it is now possible to check the veracity of the CERT RR to prevent man-in-the-middle accounts. DNSSEC could be used as a substitute for certificate authorities.

This is news for me, and extremely interesting. Are there any browsers/mail clients/whatever supporting this? Anything worth reading about it? Instructions on how to implement it and make some experimental use of it?

Can we lobby for this to be implemented in browsers, email, and the rest?

Currently, you either have to pay some CA, or be your own CA which nobody trusts, and have everyone install the cert or constantly click through the warnings
maze.

Re:Certificates in DNS. (2, Informative)

Anonymous Coward | more than 3 years ago | (#34519442)

Coincidentally, today this working group became official:

http://www.ietf.org/mail-archive/web/keyassure/current/msg01078.html

Objective:

Specify mechanisms and techniques that allow Internet applications to
establish cryptographically secured communications by using information
distributed through DNSSEC for discovering and authenticating public
keys which are associated with a service located at a domain name.

Actually, they enabled it yesterday (2)

Desert Raven (52125) | more than 3 years ago | (#34514408)

Actually, .net was enabled sometime around 16:00 GMT yesterday. They just didn't announce it until today.

I was doing testing of a DNSSEC system yesterday, and one of my test cases change state on me unexpectedly. (Signed zone in an unsigned parent)

.NET Zone? (0)

Anonymous Coward | more than 3 years ago | (#34514932)

What is the .NET Zone? Is that where Silverlight came from? Do you just mean the .net TLD?

Re:.NET Zone? (1)

hedwards (940851) | more than 3 years ago | (#34515584)

I assume you're joking, but it's the TLD, unless those other things are suddenly requiring DNS look ups.

Re:.NET Zone? (1)

petermgreen (876956) | more than 3 years ago | (#34519892)

In DNS speak a "zone" defines names with a common suffix. It may either define those names directly or it may delegate them to sub-zones hosted on other servers.

So when you lookup www.slashdot.org then (asusming nothing is cached) the recursive resolver looks up www.slashdot.org in servers responsible for the root zone which tells it where the .org zone is hosted. Those servers tell the resolver where slashdot.org zone is hosted and finally those servers tell the resolver the requested details for www.slashdot.org .

PowerDNS (1)

otis wildflower (4889) | more than 3 years ago | (#34518454)

I'm aware that DNSSEC is currently supported in test builds of PowerDNS, but consider this a vote for having it available in stable by the time .com gets signed..

(In the interim, I figure having BIND slaves serving data off of PowerDNS would work, since PDNS can handle DNSSEC RR types)

Re:PowerDNS (1)

marka63 (1237718) | more than 3 years ago | (#34521992)

BIND 9 has supported DNSSEC for the last 10 years. It was used in production testbeds (BIND 9.1 and 9.2) which lead to a redesign of the trust model at delegation points.

BIND 9.3 onwards has supported the current DNSSEC with NSEC3 support being added in BIND 9.6. RSASHA256 (used in the root) and RSASHA512 support was added in BIND 9.6.2 and BIND 9.7.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...