DNSSEC finally goes mainstream
VeriSign enables more secure tech on .com top-level domain
DNSSEC, a more secure version of the internet domain name to IP address lookup protocol, was enabled on the .com top-level domain on Thursday.
The move by VeriSign, the operator of .com, marks an important milestone in the adoption of the technology, now accessible to 80 million registered domains.
The internet's root servers at the top of the DNS (Domain Name System) hierarchy added DNSSEC support last July. More than 25 top-level domains—including .gov, .org, .edu and .net—have enabled DNSSEC since then.
DNSSEC, or DNS Security Extensions, uses cryptographic checks to make sure that IP results returned by a DNS query point to the corresponding domain name. The technology is a countermeasure against DNS cache-poisoning attacks, such as those famously highlighted by security researcher Dan Kaminsky back in 2008.
The technology has existed for more than a decade and is seen as an important safeguard against certain types of "man in the middle" and cache-poisoning attacks. Despite its longevity, awareness of the importance of the protocol remains patchy.
For example, half the security experts quizzed in a recent survey by internet security firm IID (Internet Identity) admitted they either knew nothing about DNSSEC or only had limited familiarity with the protocol. ®
please apply clue
What are "IP results returned by a DNS query"?
Last time I checked, a DNS query returned resource records. Some of these might represent IP addresses.
Oh and it's not just .com that got signed yesterday. .net did too. Both TLDs use the same back-end registry.
Paris icon because her back-end regularly gets lookups.
Re: Paris icon because her back-end regularly gets lookups.
That made me chuckle.
+1 Internets for you!
Can't blame hacks for getting facts wrong...
... when over half the "security experts" in fact know nothing and unsurprisingly aren't very effective at this "delivering security" thing. Predictably, you end up with a lot of cargo culting.
Of course it's often enough the hacks that propel attention seekers to "expert" or even "guru" status without much checking or balancing at all. But that's a different discussion.
I for me know what DNSsec is and what it does but that's about it. Oh, and that there's a lot of contention about whether the solution is any good or fit for purpose or whatever. And of course there's an alternative by DJB that is better in some really narrow technical aspects but probably a lot worse for real-world use, as most of his code tends to be.
DNS is amazingly resilient, like how a certain ISP had half its servers answer with port zero (really) in the packets and they never noticed (really). Or how the IPv6 bunch badly borked the DNS design by inventing AAAA (_and_ A6) records instead of moving over to an inet6 domain. There's a reason multiple domains exist, and this is it, you know. So I'm not surprised DNSsec is such a bodge.
But then, we recently were forced to conclude (again, really) that the PKI is a complete crock. And as for PGP/GPG, read _why johnny can't encrypt_. That's the state of using crypto these days. What bothers me most, though, is the active refusal of (especially certain high-profile) "security consultants" to even consider the political ramifications of forcing governments to do anything, like signing the root. Yes, ICANN is still very much a government puppet, as much as everyone would like to deny it. Playing the ostrich doesn't make that go away. We simply can't afford to ignore elephants like that.
For now, likely nothing will happen. But building a threat of impending balkanisation right into your infrastructure isn't the smartest or most forward-looking thing to do.