DNSSEC - does it exist?
Chris Drake
christopher at pobox.com
Mon Oct 23 13:54:17 UTC 2006
Hi Jeroen,
Has anyone considered the interim solution of allowing sites to use
their SSL keys and certificates for signing their DNS responses?
I'm not 100% up-to-speed on "look-a-side", but, the spec reads:
"DNSSEC itself will be used to authenticate the DLV RRs."
so it looks like it's not relevant to the kind of situations we're
talking about (usually a 2ld, like "example.com", and not something
like labs.techaware.refusesToPublishDNSSEC.somecompany.com)
Or - until the DoC and verisign sort out hteir political squabbling,
DNSSEC isn't really secure?
If I'm wrong - how does my Windoze box with my shiny new DNSSEC
resolver know that my ISP's DNS servers got hacked, when the IP
address for PayPal is now in some zone that doesn't use DNSSEC (or
worse - is now using a self-signed certificate on it's new Korean IP
addresses) ?
Kind Regards,
Chris Drake
Monday, October 23, 2006, 8:49:44 PM, you wrote:
JM> Chris Drake wrote:
>> Hi,
>>
>> DNSSEC has been mentioned a few times. It seems to be a way for
>> authoritative servers to digitally sign DNS replies - with the intent
>> that client resolvers check signatures - including (as far as I can
>> tell) the whole chain up to the "root" zone.
>>
>> What I can't find is any obvious mention of who the root is, nor how
>> I'd get my keys "signed" by them, nor how a client resolver (eg: a
>> potential victims Windows XP box) might install a root key - which
>> leads me to believe there's no DNSSEC root authorities yet, and thus
>> this protocol doesn't exist.
JM> Currently the root is not signed yet, but various folks are working on
JM> getting this in place. In the mean time you can use a look-a-side
JM> mechanism, eg using http://www.iks-jena.de/leistungen/dnssec.php
JM> For more information see:
JM> http://www.dnssec-deployment.org/
JM> especially
JM> http://www.dnssec-deployment.org/howdoi/DNSSECGuides.htm
JM> and for instance:
JM> http://www.circleid.com/posts/dnssec_deployment_at_root/
JM> rest google(dnssec deployment)
JM> Greets,
JM> Jeroen
More information about the general
mailing list