JRDN
Jason Roysdon dot Net

Dot-ORG TLD Opened for DNSSEC Signing

June 24th 2010 in Networking, Security

The online world just became a little more secure yesterday. The dot-ORG (.org) top-level domain (TLD) just opened up the ability for the owner of a .ORG domain to include their zone's DNS Security Extension (DNSSEC) Delegated Signer (DS) key.

I won't go into all the details of what DNSSEC is, but you can search my site for DNSSEC and many links.

What I will talk about is how this new change affects security. Previously, I could use DNSSEC to sign my roysdon.org domain zone file. But no one had a method to verify that they keys signing my data was valid. Anyone who was going to "attack" users visiting my roysdon.org websites and had the ability to insert false DNS could just insert false keys and signatures for my zone records, and there was no way to vet this information.

Now, I can submit a DS record into the .ORG zone via my Registrar. The DS record is a digest, or one-way hash, of my full DNSKEY record. If you obtain my DNSKEYs from roysdon.org, you can then use SHA to generate a hash and verify it matches what .ORG has for my DS records.

Sounds pretty technical, and it just is. Especially key management and rolling forward KSKs & ZSKs and how you keep your private keys secure, which I was just working on last night. However, here is a nice graphical representation of DNSSEC generated by DNSViz.

roysdon.org DNSSECOn the top-left you see the root "." zone. It is currently signed, but the key to verify the signature has not been published, but is set to be published in July, 2010. On the top-right you see the DLV.isc.org zone, which is an alternative method to introduce TAs. Below each you see the .ORG zone and the chains of trust (or lack there of to the root), and it flows down to my roysdon.org zone. The DLV is a TA for both the .ORG and roysdon.org zones, and was for the roysdon.org before the .ORG zone was signed a year ago.

If you have a .ORG domain and want to get your zone signed with DNSSEC so no one can spoof bad DNS data and redirect your users to their false webservers, here are the steps:
First, see if your current domain Registrar is one of 13 .ORG Registrars that are supporting DNSSEC right now: http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc

If your .ORG domain Registrar is not listed as providing DNSSEC support, transfer your domain to GoDaddy or one of the other 12 .ORG Registrars with DNSSEC support. I've used GoDaddy's interface and it just works.

Then generate your keys, sign your zone, and provide your Registrar your DS key. Anyone using a DNS server with DNSSEC enabled and ITAR keys will have the .ORG key and follow the chain to your domain. Anyone using a number of DLVs will also find the .ORG key and also follow the chain to your domain (there is no longer a need to put .ORG domains in the DLVs since .ORG is signed and included in their TA).

Full support will work once the Root zone is signed, and then the ICANN ITAR will no longer be needed, and the DLVs will not be needed at all as more TLDs become signed.

Further, if you want to host DNSSEC zones without giving a full directory of all available information (via zone walking), you need to use NSEC3 signing, which Windows 2008 R2 does not support, so you'll want to go with a BIND 9.6+ or other DNS solution. The only place I can see NSEC being acceptable is for 100% publically available informational zones (like the root, and TLDs that don't have "private" registrations).

--

Update, July 4, 2010: NeuStar has signed Dot-US as December 8th, 2009, and began accepting DS records on June 7th, 2010 according to Question 7 of the NeuStar DNSSEC FAQ. However, it doesn't look like any Registrars support it DNSSEC DS for Dot-US, or at least GoDaddy doesn't yet, and I'd expect them to lead the market with support. NeuStar estimates that Registrants (owners of dot-US domains, like me) will be able to add DS records with Registrars (like GoDaddy) for submission into the dot-US domain in Q3, 2010, according to Question 9 of the NeuStar DNSSEC FAQ.

NeuStar will sign dot-BIZ on July 8th, and start accepting DS records for dot-BIZ on August 1st, per dates posted by NeuStar.

NeuStar has some nice graphics of what is required to get DNSSEC working for everyone and a short high-level primer on DNSSEC.


One comment to...
“Dot-ORG TLD Opened for DNSSEC Signing”
Jason
wrote on August 10th, 2010

It's nice to see that Dot-US now has its DS key in the root: http://dnsviz.net/d/us/dnssec/. Still awaiting Registrar support for end-users.

But Dot-ORG DS key has been in the root for some time prior, and as Dot-ORG already had Registrar support for end-users, my roysdon.org domain now has a trusted path from the root to my servers.




required



required - won't be displayed


Your Comment:

Cisco Certified Network Professional (CCNP)I received word that that I passed the new 642-832 TSHOOT Beta exam that I took on March 26! Woot, CCNP recerted, and by passing this test my CCDP and CCVP are renewed as well.

Previous Entry

In April I decided to try Clearwire to see if it was a viable solution for my internet. Shortly after, I started receiving spam thanks to them, and it's easy to prove.

Next Entry

Archives
Categories
Links