DNS security @ CSAIL

DNSsec is a technology for ensuring the authenticity of DNS information using public-key signatures. Deployment of DNSsec is proceeding somewhat slowly on the global scale, but some significant "islands of security" are beginning to emerge. It is anticipated that the root of the DNS, as well as the .arpa infrastructure domain, may be signed by the end of 2008, if the U.S. government does not decide to obstruct further implementation. Several top-level domains, including .br, .se, and .pr are now signed, as are the .in-addr.arpa domains for networks delegated to RIPE, the European Regional Internet Registry. However, until such time as the root is signed and includes secure delegations of those domains, it is necessary for clients wishing to verify the signatures to maintain their own copies of those domains' public keys.

Systems running CSAIL Debian are pre-configured to verify signatures for a variety of domains whose signing keys could be verified by TIG. See the file /etc/bind/trusted-keys.conf for a complete list. CSAIL's recursive resolvers (ns0, ns1, ns2, and ns3) are also configured in this way, but lacking a secure channel to the recursive resolver, clients should not treat results from these servers as authenticated.

Signing CSAIL zones

Starting October 19th, 2007, many CSAIL zones are signed. See the attachment below for a list of CSAIL public keys in BIND format. Currently, only zones managed by WebDNS are signed; other zones remain unsigned until we develop a mechanism for automatically re-signing manually-maintained zones. The zones which are signed include csail.mit.edu and 30.128.in-addr.arpa. We maintain backup key-signing keys, which are included in the list below, on a secure machine in case the master nameserver is compromised.

-- GarrettWollman - 24 Oct 2007