Educause Security Discussion mailing list archives

Re: DNSSEC & the .EDU domain

From: Shumon Huque <shuque () ISC UPENN EDU>
Date: Mon, 18 Aug 2008 17:27:03 -0400

On Mon, Aug 18, 2008 at 04:33:47PM -0400, Valdis Kletnieks wrote:

On Sun, 17 Aug 2008 21:23:14 MDT, Stephen John Smoogen said:

Well who is going to pay for the staff and systems to do the signing?
How much is required for the number of zones in the .edu domain space?


A bit of clarification here.  All the people running the .edu zone have to sign
is *the .edu zone*.  One zone. That's it (unless they have a *separate* service
for hosting DNS for a school). So if somebody makes a request to the .edu
nameservers, they will (for instance) get a reply back that says 'vt.edu SOA, 5
NS entries, and DNSSEC signing of those 6 RRs'.


I might be nitpicking, but your description isn't entirely correct.

If VT.EDU is signed (and has a secure delegation from EDU), then querying
the EDU nameservers won't return DNSSEC signatures for VT.EDU's SOA and
NS records, or any glue address records for that matter. A secure
delegation is indicated by another record: DS (Delegation Signer) and
this is what needs to be signed in EDU. So the VT.EDU DS record in the
EDU zone would be signed. NS records for delegated zones and any
accompanying glue are not authoritative data (in the delegating zone),
so they aren't signed. The NS records _are_ authoritative in the
delegated (child) zone, so that is where they will be signed (using the
childs signing key(s)). So the VT.EDU zone will have signed SOA, NS, etc
records at it's apex.

They don't have to sign any
of the bazillion entries in the vt.edu zone, that's *our* problem.  And if
a few schools don't get onboard, it's only their domain that's not signed.
There is no requirement that *all* the sub-zones also be signed.


Very true ..

A bit of cleverness will show that it's possible (and in fact required) to
do incremental updating of the signatures for the SOA/NS glue entries on
a per-subdomain basis.  If it were required to "sign the entire zone", the
time required to compute a signature across a .com zone that contains glue
for the 140M+ .com domains would be prohibitively long (overlooking the
fact that a signature across the entire zone would be cryptographically
useless for anything other than a zone-transfer of the .com zone)...


Pre-NSEC3 DNSSEC did require signing all the authoritative data in the
same zone. With NSEC3 (RFC 5155) spans of records in a zone can be opted
out of signing - one of the features that .COM is planning to use.

--Shumon.

Current thread:

Re: DNSSEC & the .EDU domain, (continued)
- Re: DNSSEC & the .EDU domain Lawrence, Gabriel (Aug 14)
- Re: DNSSEC & the .EDU domain Memisyazici, Aras (Aug 14)
- Re: DNSSEC & the .EDU domain Brad Miller (Aug 15)
- Re: DNSSEC & the .EDU domain Rodney Petersen (Aug 17)
- Re: DNSSEC & the .EDU domain David L. Wasley (Aug 17)
- Re: DNSSEC & the .EDU domain Stephen John Smoogen (Aug 17)
- Re: DNSSEC & the .EDU domain Memisyazici, Aras (Aug 17)
- Re: DNSSEC & the .EDU domain Stephen John Smoogen (Aug 18)
- Re: DNSSEC & the .EDU domain Valdis Kletnieks (Aug 18)
- Re: DNSSEC & the .EDU domain Curt Wilson (Aug 18)
- Re: DNSSEC & the .EDU domain Shumon Huque (Aug 18)