Weekly Edition
Return to the Security pageRecent Features
| |||||||||||||
Debian to start deploying DNSSEC
The Debian system administrators (DSA) have announced that they will soon be deploying DNSSEC for selected Debian zones.
"The plan is to introduce DNSSEC in several steps so that we can react to issues that arise without breaking everything at once.
[...]
We will start with serving signed debian.net and debian.com zones. Assuming nobody complains loudly enough the various reverse zones and finally the debian.org zone will follow. Once all our zones are signed we will publish our trust anchors in ISC's DLV Registry, again in stages.
[...]
The various child zones that are handled differently from our normal DNS infrastructure (mirror.debian.net, alioth, bugs, ftp, packages, security, volatile, www) will follow at a later date." (Thanks again to Paul Wise.)
(Log in to post comments)
Debian to start deploying DNSSEC Posted Feb 16, 2010 9:04 UTC (Tue) by bangert (subscriber, #28342) [Link]
hhhm, i thought DSA with respect to Debian stands for Debian
Security Announcement. A bit weird that they knowingly use the abbreviation in two different contexts.
Debian to start deploying DNSSEC Posted Feb 16, 2010 14:11 UTC (Tue) by jengelh (subscriber, #33263) [Link]
DSA is of course the Digital Signature Algorithm ;)
Debian to start deploying DNSSEC Posted Feb 16, 2010 16:54 UTC (Tue) by rahvin (subscriber, #16953) [Link]
Google says it's the Direct Selling Association (or in other words Spammers).
Debian to start deploying DNSSEC Posted Feb 16, 2010 9:12 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]
Its been the default since Fedora 11
http://fedoraproject.org/wiki/Features/DNSSEC
A bit more complication but hopefully solves some issues
Debian to start deploying DNSSEC Posted Feb 16, 2010 9:42 UTC (Tue) by jo42 (subscriber, #59640) [Link]
No, this announcement is not about shipping DNSSec capable software, as the page you've referenced describes, but using DNSSec for Debian itself, i.e. signing the DNS zone debian.org and so on.
Debian to start deploying DNSSEC Posted Feb 16, 2010 9:58 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]
I understand that fine and I was merely pointing out that since Fedora uses
it by default these days there has some concerns over the additional complexity it brings
Debian to start deploying DNSSEC Posted Feb 16, 2010 16:06 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]
Also Fedora's infrastructure lead pointed out that Fedora has been deployed
it on it's own servers for a few months now
dig +dnssec +multiline -t key fedoraproject.org @ns1.fedoraproject.org
Debian to start deploying DNSSEC Posted Feb 18, 2010 11:40 UTC (Thu) by akumria (subscriber, #7773) [Link]
As useful as that is, without a DS (delegated signer) record in .org (which is also signed) the fedoraproject is just an island of security.
Unless DLV (Delegation lookaside validation) is enabled in Fedora for fedoraproject.org no one is going to be benefiting.
can't get signed by org yet Posted Feb 19, 2010 15:21 UTC (Fri) by tialaramex (subscriber, #21167) [Link]
the org registry is not as yet (unless I'm out of date) offering to sign records of arbitrary members. When it does, either it will sign everything (in which case Fedora need take no special action) or it will advertise that this is available as a new service and some sysadmin at the Fedora project needs to get in touch. But right now it's "friends and family" testing only, if you didn't get an invite, they're not interested.
SEC spider shows the Fedora Project's DNSSEC records as live and not a testbed service, so evidently they're not as completely under the radar as you imagined.
Debian to start deploying DNSSEC Posted Feb 16, 2010 17:52 UTC (Tue) by dps (subscriber, #5725) [Link]
In the DNSSEC context DSA is a (specific) digital signature algorithm.
Actually using a DNSSEC protected zone is not difficult, but many resolvers do not know how to check signatures. AFAIK a signature aware resolver will check signatures without you configuring anything.
I believe bind 9 is likely to check signatures and glibc probably does not. If DNSSEC becomes popular this will probably change in due course.
Debian to start deploying DNSSEC Posted Feb 17, 2010 13:28 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
It is expected that many end users will ask a recursive DNS server (perhaps one in their household DSL router, or at an ISP, or in a corporate data centre) to perform the DNSSEC checks on their behalf, at least initially. This protects them from poisoning of a distant cache or impersonation of the DNS servers for a particular domain which previously had the potential to send millions of users to a bogus web site or whatever with just one good exploit.
Obviously if you want to actually be sure you should do all your own checks, but this costs CPU (fine in a PC but not in some embedded devices) and requires that you stay up to date with changes to the root keys (for most Linux users these will presumably be distributed as package updates like the timezone file updates) once the root is signed for real this summer.
|
|||||||||||||