×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Which Registrars Support DNSSEC?

timothy posted more than 2 years ago | from the are-you-now-or-have-you-ever-been dept.

Security 70

baerm writes "With GoDaddy being purchased by private equity firms (i.e. it will be sucked dry with service reduction and price increases until it dies) what other Registrars support DNSSEC? GoDaddy is the only registrar I could find that supports DNSSEC for registrees running their own DNS. It was fairly easy to add the Key Signing Keys' DS records to the parent zone using its DNS config. I did find a couple other registrars that were 'testing' DNSSEC or that would support DNSSEC if they ran your DNS. But I couldn't find any other registrars where you could just register, run your own DNS, and use DNSSEC (i.e. with your DS record in your parent zone). That being said, I was only able to research a small percentage of the registrars out there. Does anyone know of registrars, other than GoDaddy, that allow for DNSSEC? That is, registrars that have a method to pass the DS records to the parent zones for their registeree's domains?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

70 comments

DynDNS does it (3, Informative)

CoverStory (1020095) | more than 2 years ago | (#36654860)

Re:DynDNS does it (0)

Anonymous Coward | more than 2 years ago | (#36654926)

GoDaddy = the worst in the world. I gave Google domain registration a shot and they use GoDaddy. I let the domain go to waste after putting up with GoDaddy advice that came straight out of Google's world. Nothing but advice pages and the run around. Both companies can choke and die. Nice and polite when I could get GoDaddy on the phone (completely impossible with Google) but the answer was "Well, duh. There ain't nothing I can do. I have a thumb up my ass though if you'd like to smell it".

And the question that stumped them both: "How do I put my actual name on the domain instead of your hidden service?". Seriously. It's like asking "Which way is up?". Why couldn't I just change it myself? Why couldn't either of them change it when I wasn't able to? Argh. It's been years and I'm going to start pounding my head into a brick wall again. What. The. Fuck.

Re:DynDNS does it (1)

snsh (968808) | more than 2 years ago | (#36655108)

"How do I put my actual name on the domain instead of your hidden service?"

Your question stumped me too until I thought of it for a while and figured out you are _probably_ talking about WHOIS data and private domain regisration. If so, if you ask Google/Godaddy that way, they should be able to give you a straight answer.

Or are you seriously asking how to replace their generic parked domain webpage with your own website? If so, then I don't know what to tell you.

Re:DynDNS does it (0)

Anonymous Coward | more than 2 years ago | (#36655174)

Hours, and I literally mean hours, of the phone on hold or me looking through the Google info sites of WHOIS data. I can't think of a simpler question. I had no idea it was even something I'd have to look up. Name change, "Fill this in". GoogleDaddy answer "Try checking our site for help! Did this page help?" After fucking with it forever because who wants to get beaten down over a simple name change, I finally gave up.

Once I was in Rome and my Italian is decent enough. I asked a friendly group of locals at a bar to teach me to say "Roma" like the locals do. That also took forever. But it got done! Google/GoDaddy I just walked away from.

Re:DynDNS does it (1)

Hal_Porter (817932) | more than 2 years ago | (#36655252)

GoDaddy = the worst in the world.

I once worked with a guy who had their irritating "GoDaddy! GoDaddy! who's your daddy" jingle as his ringtone. I suspected he might have been a paedophile.

Re:DynDNS does it (1)

Nasajin (967925) | more than 2 years ago | (#36656794)

I once worked for a shitty sysadmin who had a ringtone of the sound of his children crying. He once also castigated an intern for downloading "over 50 terabytes this morning!" on a 256kbps connection. Needless to say, he was a worthless human being.

I dunno (1)

way2trivial (601132) | more than 2 years ago | (#36660982)

my ringtone's primary function is to wake me up or get my attention..

my kids crying would do a great job.. the only problem I really perceive is I might be standing in his bedroom half asleep consoling him over my shoulder while my cellphone carries on on the nightstand...

Re:DynDNS does it (3, Informative)

chrisgeleven (514645) | more than 2 years ago | (#36655338)

Yep, we support DNSSEC on .com, .net, .org, .biz, and .se. No need to use us for DNS (although you certainly can, any DynECT Managed DNS products support DNSSEC).

Re:DynDNS does it (1)

baerm (163918) | more than 2 years ago | (#36655538)

This is good to know. When I looked at dyndns a few months ago, I was unable to find away to upload DS records to my parent. In fact, this appeared to me to be a registrar that would only support DNSSEC if it managed the DNS (which would already put it ahead of most at the time). I'm hoping this is a fairly recent change and it wasn't just my failure to figure it out at the time. I was a bit disappointed too, because I really like dyndns. It seems to me to be one of the more professional registrars (more interested in being a good registrar than in trying up-sell everything).

Re:DynDNS does it (1)

chrisgeleven (514645) | more than 2 years ago | (#36656296)

We added DNSSEC support for the major TLDs several months ago, sounds like right after you looked. The domain registration page for supported domains will show a section for adding DS records.

Re:DynDNS does it (1)

Tacvek (948259) | more than 2 years ago | (#36655984)

Your DYNDns.com website does not make it particularly clear that you support DNSSEC on your domain registration product.

You provide the documentation for setting up DNSSec for a domain on http://www.dyndns.com/support/kb/implementing_dnssec.html [dyndns.com] , but you don't mention how to submit the information needed for DS records, so you can submit the DS records to the Registry for inclusion in the TLD zone. That page appears to not have been updated in a while, which is probably why it lacks that information.

I would also recommend that you mention DNSSec on this page [dyndns.com] , probably right after you talk about Glue Records, since DS records are similar in that they are added to the parent zone, and like glue records they are only needed if the domain is set up a specific way (namely set up to support DNSSec).

Re:DynDNS does it (1)

chrisgeleven (514645) | more than 2 years ago | (#36656316)

Yeah that DNSSEC page looks very old, I hadn't even realized it existed until now. Thanks for bringing this up. We are working on rewriting docs so I will make sure this gets addressed.

Once you have a registered domain in your account, for supported TLDs there is a 'DNSSEC DS records' section on your domain registration page.

Hmmmm (1)

ModernGeek (601932) | more than 2 years ago | (#36654864)

This seems like a good time to start an open-source minded registrar.

Re:Hmmmm (3, Interesting)

TooMuchToDo (882796) | more than 2 years ago | (#36654916)

Several months ago, I thought about opening a coop model registrar, in the same vein as ARIN or other non-profit resource management organizations, but didn't think there'd be enough demand (IT people would dig it, but not your average joe, who is going to use GoDaddy). How difficult is it to start a registrar?

It's expensive.. (1)

intellitech (1912116) | more than 2 years ago | (#36654956)

I don't think it would be terribly difficult, but the expense of the whole process tends to dissuade people from trying.

Re:It's expensive.. (3, Informative)

Anonymous Coward | more than 2 years ago | (#36655186)

correct, there is a 2500$ non-refundable fee, plus a 175000$ payment upon approval, plus you must have 70000 extra just in case, plus you must prove that you can run a profitable operation and tons of other impediments.

ICANN and verizon control everything and they want to keep it that way.

We are actually thinking about an open source registrar model, but those costs are making it very difficult.

There is a great market there, ICANN only charges like 23cents a year for the name, godaddy and the rest of the registrars are making a killing! profit from it, 48000 domains, you make the numbers!

Re:It's expensive.. (1)

Anonymous Coward | more than 2 years ago | (#36655256)

Verizon? You meant VeriSign ;)

Re:It's expensive.. (0)

Anonymous Coward | more than 2 years ago | (#36655948)

yes correct, thanks :)

Re:It's expensive.. (3, Insightful)

TooMuchToDo (882796) | more than 2 years ago | (#36655336)

I run a (substantially) profitable hosting operation with several million dollars in the bank (business accounts, I don't pay myself more than my co-workers/employees).

So, I can run a profitable operation, the question is, are there enough people willing to purchase domain services from a non-profit?

Re:It's expensive.. (0)

Anonymous Coward | more than 2 years ago | (#36656192)

it does not have to be a non-profit, it just has to be a open source driven operation.

hosting companies use linux and tons of open source solutions and most of them don't pay a penny for this services, while they pay very good money to cPanel and the other host managers, this is the key point here I think, that is at least what we are planning to do, to make a very open source oriented solution, maybe not cheaper if the situation is not good for it, but at least to use the resources to give back to the open source as much as possible.

Re:It's expensive.. (1)

TooMuchToDo (882796) | more than 2 years ago | (#36657898)

My point is I *want* to run it as a non-profit organization, similar to Wikipedia. I take in enough money to pay for servers, developers, etc. and keep prices as low as possible, since I have no shareholders demanding their pound of flesh.

Re:It's expensive.. (1)

dodobh (65811) | more than 2 years ago | (#36658964)

I work for a domain registrar. It's possible to run a registrar as a low cost service, but it's purely a volume business.

In fact, the only way you can run a registrar is by pushing volumes and that needs low prices.

Re:It's expensive.. (1)

TooMuchToDo (882796) | more than 2 years ago | (#36661574)

That's what I assumed. You're looking at a Wal-Mart model, with an extremely slim margin per domain purchased.

Re:It's expensive.. (1)

gpuk (712102) | more than 2 years ago | (#36655340)

Don't forget Verisigns also charge a wholesale fee of $7.34 as the administrator of the .com namespace.

Re:It's expensive.. (0)

Anonymous Coward | more than 2 years ago | (#36656010)

See, that is outrageous

What is the solution?
end this nonsense .com revolution and move to another TLD?

I think it is time for people to realize that there are other extensions, people actually still don't understand that www is not required and that there are other options besides .com

(and it was 48 000 000 domains, not 48k)

Re:It's expensive.. (1)

raju1kabir (251972) | more than 2 years ago | (#36669868)

The www may not be "required" but it's much more difficult to run a reliable site without it since you then can't use CNAME records to cheaply eliminate a single point of failure.

There's more to the internet than the web, remember.

Re:It's expensive.. (0)

Anonymous Coward | more than 2 years ago | (#36655644)

Since all it is, is the conversion of a text string to an IP number, how about starting an alternative system that does this? Browsers could then be set up to choose between good old DNS, or the new system whatever it'll be called.

DynDNS (0)

Anonymous Coward | more than 2 years ago | (#36654884)

DynDNS [dyndns.com] do support DNSSEC (and although they are more expensive than GoDaddy, they don't try upselling you every step you take).

Registrars that support DNSSEC (4, Informative)

lothos (10657) | more than 2 years ago | (#36654964)

Name.com and Network Solutions are two of the big, well-known registrars that support DNSSEC. .org was the first to support DNSSEC.

Here's a list of registrars that support DNSSEC for .org: http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc [pir.org]

Re:Registrars that support DNSSEC (1)

Anonymous Coward | more than 2 years ago | (#36655992)

" .org was the first to support DNSSEC."

No it wasn't. .SE was the first TLD. .MUSUEM was the first non-ccTLD.

Re:Registrars that support DNSSEC (0)

Anonymous Coward | more than 2 years ago | (#36656408)

I switched my .net domain to name.com last month since dotster doesn't support either IPv6 or DNSSEC. It took me a bit to figure out their interface to get the IPv6 glue records in, and once they pointed it out, I felt a bit stupid for not realizing it earlier. However when I asked about getting the DNSSEC keys in place, I found out they only support DNSSEC for .org at the moment, but are looking at rolling it out for the other TLDs soon. (For an unknown value of "soon".)

Why do we immediately assume GoDaddy will suck? (2, Interesting)

jchawk (127686) | more than 2 years ago | (#36654978)

I'm not sure why we should immediately assume that GoDaddy will suck just because they were purchased by a private equity firm. GoDaddy had every intention of going public but choose not to because of how they would have had to report their earnings/recognize revenue. From what I remember they would essentially split the revenue of a domain registration out over the life of the domain registration as opposed to immediately upon payment.

GoDaddy is a cash cow that will likely continue to be a cash cow if they parent firm let's GoDaddy continue to operate in the manner they have done so since they were founded.

I'm not an investment equity firm but if I were I would look to maximize revenue over as long of a timeline as possible. GoDaddy has no real tangible assets to come in and suck dry like a large manufacture might so sucking the life out really doesn't make a lot of financial sense.

I've been happy with GoDaddy over the years and will continue to use them until their service slips or their prices get out of control.

Re:Why do we immediately assume GoDaddy will suck? (2)

HFShadow (530449) | more than 2 years ago | (#36655044)

Wait, godaddy doesn't suck already? I don't see how they could possibly get much worse.

Re:Why do we immediately assume GoDaddy will suck? (1)

bigstrat2003 (1058574) | more than 2 years ago | (#36655176)

I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.

Re:Why do we immediately assume GoDaddy will suck? (1)

jhoegl (638955) | more than 2 years ago | (#36655282)

I used them through work. Bought an SSL certificate back in the day (2007 I think), and called them up to verify a few things.
Their people were bright, easy to work with, and answered all of my questions.
Since then I have had no problems with them except for their busy website.

Re:Why do we immediately assume GoDaddy will suck? (1)

fast turtle (1118037) | more than 2 years ago | (#36655602)

They've been my registrar for the last 6-9 years and other then their website being a bit confusing at times, they've been easy to deal with. I was even impressed that their phone support people were in the States and actually spoke english and they didn't work from a damn script. Knowledgable folks and they solved the problem within minutes plus I got a confirmation email for the trouble ticket

Re:Why do we immediately assume GoDaddy will suck? (1)

jd2112 (1535857) | more than 2 years ago | (#36655820)

I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.

I take it you aren't a beer drinker.

Re:Why do we immediately assume GoDaddy will suck? (1)

adolf (21054) | more than 2 years ago | (#36656280)

The "beer" that is marketed using advertising that is as dumb and pandering as GoDaddy hardly even qualifies as beer, except perhaps in the legal sense of the term.

Good beer does not typically resort to such tactics. It is often scarcely advertised at all.

Re:Why do we immediately assume GoDaddy will suck? (1)

VortexCortex (1117377) | more than 2 years ago | (#36656778)

I've never used their service, but I do know that I refuse to support any business whose advertising is as dumb and pandering as theirs.

I take it you aren't a beer drinker.

Actually, I share the same opinion that GoDaddy is crap, and I have used their services on the behalf of others (esp. to transfer the domain away), and I do drink beer. Get a clue, you can enjoy a brew and still scoff at immature and sexist ad campaigns -- What? No nearly naked men? (targeted ads at their finest -- unprofessional meatheads who care more about sex appeal in ads than the services the sex is selling.)

Picture trying to hide the nearly lude imagery of the GoDaddy site from a client after having registered their domain name with that site -- or trying to explain why their MX record forwarding doesn't work properly even though you've assured them you're a professional and it's not your fault you chose the crappy GoDaddy registrar...

GoDaddy is in the business of marketing domains, search for something, it gets put up on the auction block, "back-order now", etc... Actually providing registrar services is an afterthought.

Enjoying a beer doesn't magically place you in the category of "good 'ol boy, womanizer", and pointing out sexism (or at least double standards) doesn't mark me as uptight... I don't really care -- It's not the image I choose to associate with, however.

Hell, I probably enjoy more beer than you do...I even brew my own beer, and trade my beer recipes and brews with others for free at the brewer's club. I've had my recipes improved by others and had better beer and friends because of it. "Free as in beer" means something strikingly similar to "free as in freedom" to a FLOSS dev / homebrewer -- The very existance of the term "homebrewed software" should be a dead giveaway to RMS that "Free as in Beer" is the wrong terminology to contrast "Free as in Freedom" -- it should be "Free as in Promotional".

Take that rambling beer talk as proof!

Re:Why do we immediately assume GoDaddy will suck? (0)

Anonymous Coward | more than 2 years ago | (#36658362)

Just FYI, immature people don't pay any attention to sex at all. Once they reach puberty and begin to mature, they begin to become interested in sex. Thus, by definition the use of sex IS mature.

Re:Why do we immediately assume GoDaddy will suck? (1)

mcavic (2007672) | more than 2 years ago | (#36655534)

Their site is slow and cumbersome, but I've never actually had any problems. I wouldn't mind switching to DynDNS, but I can't afford them for 30 domains.

Re:Why do we immediately assume GoDaddy will suck? (4, Informative)

Anonymous Coward | more than 2 years ago | (#36655052)

If their service slips does that mean that they'll not longer shill bid on their own domain auctions, improperly block users from transferring domains to other registrars and arbitrary suspend registrants like seclist.org? Anyone who uses GoDaddy as a registrar is ignorant of what they do.

Re:Why do we immediately assume GoDaddy will suck? (1)

Anonymous Coward | more than 2 years ago | (#36655104)

I'm not sure why we should immediately assume that GoDaddy will suck just because they were purchased by a private equity firm.

My impression is that private equity in the U.S. can only suck value out of companies. Seen a few and been part of one. Never once had it ended well for customers or the companies itself. The P.E. firms always made out well though.

Anyone know of a private equity transaction that worked out better for customers?

Re:Why do we immediately assume GoDaddy will suck? (1)

rbrausse (1319883) | more than 2 years ago | (#36655240)

in 2005 I was intern in subsidiary controlling at a German enterprise; one of the companies was merged with an US-based competitor, financed as a 50/50 deal with the Swedish P.E. firm EQT. what I experienced and heard is not so bad, the investor seems to be long-term interested.

today the founded company is healthy and still owned by the two founding/financing partners. no hard facts but at least an anecdote :)

Re:Why do we immediately assume GoDaddy will suck? (1)

biodata (1981610) | more than 2 years ago | (#36655122)

investment equity firm .... long of a timeline

Do these two things really go together? I thought the game was to have an exit strategy so you could get your money out with a decent return as quickly as possible and find something else to invest in. I am not an equity investment form tho.

Re:Why do we immediately assume GoDaddy will suck? (1)

Spazmania (174582) | more than 2 years ago | (#36655172)

GoDaddy had every intention of going public but choose not to because of how they would have had to report their earnings/recognize revenue. From what I remember they would essentially split the revenue of a domain registration out over the life of the domain registration as opposed to immediately upon payment.

Yeah, that's how the GAAP says you do it. http://en.wikipedia.org/wiki/Generally_Accepted_Accounting_Principles [wikipedia.org]

That's how you avoid a pyramid scheme where the finances fall apart when there's no longer enough new revenue to fund existing service commitments.

Re:Why do we immediately assume GoDaddy will suck? (1)

DarkOx (621550) | more than 2 years ago | (#36655520)

There is nothing stopping a public company from keeping multiple sets of books as well. Yes they have to follow GAAP rules when it comes to any information they make public but they can do revenue recognition however they like to produce their own financial statements for internal decision making.

Really with computer accounting packages its probably not even much work for anybody. I don't see what the big deal is unless the parent is correct and somebody knows they have real financial problems but the current accounting model conceals them.

Google it (2)

petteyg359 (1847514) | more than 2 years ago | (#36655030)

The Googlefu is clearly not with the poster.

Name.com shows quite prominently in the first page of results.

Re:Google it (0)

Anonymous Coward | more than 2 years ago | (#36655112)

So in true /. fashion, the correct post would be: Google [justfuckinggoogleit.com]

Re:Google it (1)

baerm (163918) | more than 2 years ago | (#36655670)

My googlefu may be poor. I'd like to think that since I did this a few months ago, it has become more available since then. But it could be that my searching just kind of sucked. I had two problem though. One is that of the places saying they support DNSSEC, I had a very difficult time figuring out what that meant (they'll let you enter records on there site, you can have records in your own DNS (duh), or you can actually upload your DS records to your parent in some fashion). For the most part it looked like I would have to register domains at registrars to find out.

Time (maybe even laziness) was the other issue, particularly after a few conversations with the help contacts at different places. I figured I didn't want to spend the time to go from one person who has no idea what DNSSEC is to the next, to another, to finally someone who knows what it is but tells me they don't support it. I was pretty discouraged. Godaddy was the first one I found that had online instruction about what they did (upload DS records using a web based tool) so I went with them. But I figured there must be other choices. It didn't occur to me to ask slashdot at the time. But it did when the godaddy buyout came up.

I remember numbers better than names (1)

countertrolling (1585477) | more than 2 years ago | (#36655274)

It would be a good idea to throw both GoDaddy and any other kind of centralized DNS out the window. In the long run, only ad hoc networks will be truly robust. Client-server of any kind is just too frail

GKG and InternetX support DNSSEC (3, Informative)

leto (8058) | more than 2 years ago | (#36655296)

I strongly recommend using GKG.net, as they have the best (automated) XML interface that I know of. See their documentation [gkg.net]

InternetX also has a good interface, but it is a little more complex to get going.

Those, as well as GoDaddy, which you can only process using ugly web scraping with BeautifulSoup and Mechanize, were the first ones we supported in our DNSSEC Signer product.

Paul Wouters, DNSSEC Evangelist at Xelerance

Re:GKG and InternetX support DNSSEC (1)

jroysdon (201893) | more than 2 years ago | (#36655652)

I second GKG.net [gkg.net] . I've used them for my domains. They were a little slow to add DNSSEC support for some of the gTLDs when each Registry turned up support, but once they added it, I've been in the process of moving domains back.

The only thing I see is they still don't support dot-MOBI. Not really a big deal, as that TLD domain appears to be a flop (wouldn't you want a mobile domain to be *shorter,* not longer?)

Re:GKG and InternetX support DNSSEC (0)

Anonymous Coward | more than 2 years ago | (#36656430)

Do they also do IPv6 glue?

Re:GKG and InternetX support DNSSEC (1)

FoolishOwl (1698506) | more than 2 years ago | (#36656924)

Yes. I was working through the Tunnelbroker.net "IPv6 Certification" exercises, and needed a registrar that offered IPv6 glue. GKG.net was at the top of a list of alternatives to GoDaddy.com that offered IPv6 glue.

Coming soon to Gandi (1)

Urza9814 (883915) | more than 2 years ago | (#36655536)

Gandi.net is in the process of adding DNSSEC support, though I'm not sure how exactly it will work. But they are without a doubt the best domain registrar I've ever found. Far better than GoDaddy. Might be worth waiting. They say it should be completed over the next few months.

Re:Coming soon to Gandi (0)

Anonymous Coward | more than 2 years ago | (#36656236)

I woldn't hold your breath. Gandi has been saying that they will have dnssec for ages. It is getting pretty old at this point. Somehow they always find some other problem to tackle before rolling out the dnssec DS-registering code. ("First we have to revamp our core code before we can roll out this minor change to deal with dnssec.") At this point they have even stopped answering questions about status updates. Google "gandi dsnssec" to see the various discussions on their wiki and forums pages.

http://wiki.gandi.net/questions/en/domains/how-do-i-enable-dnssec [gandi.net]

IPv6 (1)

Phs2501 (559902) | more than 2 years ago | (#36656452)

As an additional factor, who other than GoDaddy supports both DNSSEC and easy-and-prompt-to-configure IPv6 glue records? I specifically moved from Network Solutions to GoDaddy because it took NetSol weeks to set up my IPv6 glue. (Their interface at the time was "Email us at ipv6req@networksolutions.com and we'll get around to it eventually. Maybe." Maybe they've added it to their admin interface at this point...)

Re:IPv6 (1)

petteyg359 (1847514) | more than 2 years ago | (#36656832)

who other than GoDaddy supports both DNSSEC and easy-and-prompt-to-configure IPv6 glue records

Name.com, for one...

Re:IPv6 (1)

FoolishOwl (1698506) | more than 2 years ago | (#36656932)

GKG.net. I chose them originally because they offered IPv6 glue. There was no waiting; it was available as soon as I'd registered my domain name.

Who runs their DNS at the registrar? (0)

Anonymous Coward | more than 2 years ago | (#36656784)

I run my DNS off my hosting service and their servers fully support DNSSEC. Doesn't matter which registrar I use.

I have found DNS services from registrars tend to suck anyway. Low on features and high on down time.

Use your host's servers or your own servers if you have enough of them in various locations.

Re:Who runs their DNS at the registrar? (0)

Anonymous Coward | more than 2 years ago | (#36657160)

Yep. Especially places like Go Daddy. I mean who the fuck would trust Go Daddy for handling their DNS?!

Why DNSSEC? (1)

Smallpond (221300) | more than 2 years ago | (#36659348)

As I see it, we are handing over control of DNS to "trusted" certificate providers because regular DNS can be poisoned by a rogue DNS operator. Do we really believe that no nameservers with a valid certificate are rogues? Or that certified nameservers won't get compromised? I trust certificate authorities like Verisign to watch over me just like I trusted auditors from PwC when they gave AAA ratings to AIG.

What's going to happen is that once one nameserver gets compromised, it will be able to send signed updates to other nameservers. If a long enough chain is made it can operate for a long time before being tracked down and revoked. During that time it's business as usual for the phishers and pharmers with one difference. Once the bad cert is revoked and all of the DNS damage is undone, the DNSSEC champions will say "See, the system worked!". Which does nothing for the people who are out their money.

Re:Why DNSSEC? (1)

bWareiWare.co.uk (660144) | more than 2 years ago | (#36663922)

The chain of trust is only as long as the number of elements in the domain name. It is already common practice for banks and merchants to use 2nd/3rd-level domains so the chains are very short. I suppose technically your OS is an extra step in the chain (and often the most easy to compromise).

Once an organization has setup DNSSEC for their domains there are two main vulnerabilities:
The organization could allow it's private keys to become public and then fail to revoke them. This is smiler to their web-server being compromised, and beyond the scope of DNSSEC.
A malicious third party could convince the managers of the parent domain that they were the organization, had lost their keys, and new ones should be issued. Given that total key-loss should be extremely rare (normal secure rotating of keys is properly handled), proper off-line validation should be done. Even if/when this fails the new keys can be quickly revoked.
As the are several competing TLD providers, the quality of their validation should be a factor they are judged on.

easyDNS support (1)

Stunt Pope (3287) | more than 2 years ago | (#36660206)

We have it designated as "beta" right now, follow the status on http://easydnssec.com/ [easydnssec.com]

You can sign your zones, etc. What you cannot yet do is submit DS keys to the regsitries directly (we're working on it) - this is a "gotcha" of our using openHRS on our backend and we've been in extensive communications with Tucows about this. We're hoping to have this resolved by end-of-summer.

In the meantime we are using ISC's DLV as a workaround.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...