Opened 8 years ago

Last modified 6 years ago

#3664 assigned Bug/Something is broken

using DNSSEC to sign our .org domains

Reported by: Daniel Kahn Gillmor Owned by: Daniel Kahn Gillmor
Priority: Medium Component: Tech
Keywords: dnssec Cc:
Sensitive: no


This is mainly a tracking ticket, because global support for DNSSEC is likely still a long way off.

however, i wanted to note what needs doing.

we'll need to look into signing at least one of our own zones. it's not clear that this is doable directly with djbdns or the dbndns fork. We might want to look into something like phreebird, an online signing-proxy by dan kaminsky for DNSSEC.

This would require registering our zone signing key as some form of glue record, i think, and not all registrars support injecting that kind of glue at the moment (gandi claims that they will add support in the first half of 2011).

Change History (3)

comment:1 Changed 8 years ago by Daniel Kahn Gillmor

I should also note here that dnscurve looks like an interesting technical alternative to DNSSEC (they don't appear to be mutually exclusive), but i haven't seen any public implementations yet, and the root zone is signed by DNSSEC but probably will not be signed via the dnscurve proposal in the near future :(

comment:2 Changed 8 years ago by Jamie McClelland

Not having explored the details ... phreebird on the face of it seems like an elegant way to handle dnessec signing. We keep dbndns un-touched and have another separate piece handle the signing parts.

Not sure dnscurve is worth the effort right now - I think we'll have our hands full implementing dnssec.


comment:3 Changed 6 years ago by Ross

Status: newassigned

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.