Subject: DNSSEC - does it exist?

Olaf M. Kolkman olaf at NLnetLabs.nl
Tue Oct 24 06:53:28 UTC 2006 


Hello,

This mail was forwarded to me, I am not on this particular list and  
may miss a bit of context but allow me to try to answer your question.

> DNSSEC has been mentioned a few times.  It seems to be a way for
> authoritative servers to digitally sign DNS replies - with the intent
> that client resolvers check signatures - including (as far as I can
> tell) the whole chain up to the "root" zone.
>

Exactly.

The way DNSSEC works is that you configure so called 'trust-anchors'  
from which chains of trust are build that follow the delegation  
structure. Those trust anchors can hook to anywhere in the DNS tree  
but in the ideal case you need only one trust anchor. The one that  
maps to the root.


> What I can't find is any obvious mention of who the root is, nor how
> I'd get my keys "signed" by them, nor how a client resolver (eg: a
> potential victims Windows XP box) might install a root key - which
> leads me to believe there's no DNSSEC root authorities yet, and thus
> this protocol doesn't exist.
>

The DNS root (the zone that contains all delegations to top-level  
domains such as .com, .net and .nl) is not yet signed. But you can  
install trust anchors for a few other domains. DNSSEC has been  
deployed on a number of in-addr.arpa domains and the .se TLD.  
Deployment is picking up slowly.

Now, the maintenance of all these separate keys might be troublesome.  
There is a 'hack' that might help. It is called DLV and is  
implemented in BIND. See draft-weiler-dnssec-dlv for a description of  
the technology.


> Am I wrong?  (I hope so!!! - and if I am - where/how do I submit my
> DNSSEC CSR? - this is a really cool idea)

CSR is not the terminology used in the DNS world. A certificate  
signing request would map to the request to add a so called DS RR to  
the zone of your DNS parent. The DS points to the next key in the  
chain of trust.

What you can do currently is put your information in _your_ zone and  
then go to your registry and request for a DNSSEC delegation. I think  
that one of the problems of deployment is that there are few folk  
that actually ask their registries for secure delegation.

This was a bit concise maybe. I'd be happy to expand on the issue and  
answer specific questions. Please CC me as I am not subscribed to  
this list.

-- Olaf (DNSSEC evangineer :-) ) 


-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 227 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061024/cb0f65d0/attachment-0002.pgp>

More information about the general mailing list