Educause Security Discussion mailing list archives
Re: DNSSEC & the .EDU domain
From: Shumon Huque <shuque () ISC UPENN EDU>
Date: Mon, 18 Aug 2008 17:27:03 -0400
On Mon, Aug 18, 2008 at 04:33:47PM -0400, Valdis Kletnieks wrote:
On Sun, 17 Aug 2008 21:23:14 MDT, Stephen John Smoogen said:Well who is going to pay for the staff and systems to do the signing? How much is required for the number of zones in the .edu domain space?A bit of clarification here. All the people running the .edu zone have to sign is *the .edu zone*. One zone. That's it (unless they have a *separate* service for hosting DNS for a school). So if somebody makes a request to the .edu nameservers, they will (for instance) get a reply back that says 'vt.edu SOA, 5 NS entries, and DNSSEC signing of those 6 RRs'.
I might be nitpicking, but your description isn't entirely correct. If VT.EDU is signed (and has a secure delegation from EDU), then querying the EDU nameservers won't return DNSSEC signatures for VT.EDU's SOA and NS records, or any glue address records for that matter. A secure delegation is indicated by another record: DS (Delegation Signer) and this is what needs to be signed in EDU. So the VT.EDU DS record in the EDU zone would be signed. NS records for delegated zones and any accompanying glue are not authoritative data (in the delegating zone), so they aren't signed. The NS records _are_ authoritative in the delegated (child) zone, so that is where they will be signed (using the childs signing key(s)). So the VT.EDU zone will have signed SOA, NS, etc records at it's apex.
They don't have to sign any of the bazillion entries in the vt.edu zone, that's *our* problem. And if a few schools don't get onboard, it's only their domain that's not signed. There is no requirement that *all* the sub-zones also be signed.
Very true ..
A bit of cleverness will show that it's possible (and in fact required) to do incremental updating of the signatures for the SOA/NS glue entries on a per-subdomain basis. If it were required to "sign the entire zone", the time required to compute a signature across a .com zone that contains glue for the 140M+ .com domains would be prohibitively long (overlooking the fact that a signature across the entire zone would be cryptographically useless for anything other than a zone-transfer of the .com zone)...
Pre-NSEC3 DNSSEC did require signing all the authoritative data in the same zone. With NSEC3 (RFC 5155) spans of records in a zone can be opted out of signing - one of the features that .COM is planning to use. --Shumon.
Current thread:
- Re: DNSSEC & the .EDU domain, (continued)
- Re: DNSSEC & the .EDU domain Lawrence, Gabriel (Aug 14)
- Re: DNSSEC & the .EDU domain Memisyazici, Aras (Aug 14)
- Re: DNSSEC & the .EDU domain Brad Miller (Aug 15)
- Re: DNSSEC & the .EDU domain Rodney Petersen (Aug 17)
- Re: DNSSEC & the .EDU domain David L. Wasley (Aug 17)
- Re: DNSSEC & the .EDU domain Stephen John Smoogen (Aug 17)
- Re: DNSSEC & the .EDU domain Memisyazici, Aras (Aug 17)
- Re: DNSSEC & the .EDU domain Stephen John Smoogen (Aug 18)
- Re: DNSSEC & the .EDU domain Valdis Kletnieks (Aug 18)
- Re: DNSSEC & the .EDU domain Curt Wilson (Aug 18)
- Re: DNSSEC & the .EDU domain Shumon Huque (Aug 18)