May 062010
 

DNS污染作为一个已知的安全问题已经存在了好长时间了。但是一直以来没有十分好的办法来解决这个问题。比较一劳永逸的解决方案是DNSSec,但应用它要求在所有DNS通讯上实现安全协议,实施难度相当于把整个DNS生态重新搭建一遍,因此一直以来没有什么厂商来推动。DNS的安全问题也就一直被睁一只眼闭一只眼地忽略了。

这两天翻文章的时候翻到了ICCAN网站上,发现他们公布的DNSSec实施Timeline已经快到期了:

Planned High Level Timeline

  • December 1, 2009: Root zone signed for internal use by VeriSign and ICANN.  ICANN and VeriSign exercise interaction protocols for signing the ZSK with the KSK.
  • January, 2010: The first root server begins serving the signed root in the form of the DURZ (deliberately unvalidatable root zone). The DURZ contains unusable keys in place of the root KSK and ZSK to prevent these keys being used for validation.
  • Early May, 2010: All root servers are now serving the DURZ.  The effects of the larger responses from the signed root, if any, would now be encountered.
  • May and June, 2010: The deployment results are studied and a final decision to deploy DNSSEC in the root zone is made.
  • July 1, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available.

 

根据这个Timeline,在7月1日起,根zone应该就可以承担整个Internet的DNSSec的查询流量。

从今天刚刚发布的这篇文章来看–《Status Update, 2010-05-05》,实施DNSSec的兄弟们已经做好了一个实现准备好的假根Zone — Deliberately Unvalidatable Root Zone (DURZ),然后接下来的时间内观察并研究DNSSec的流量,并决定是否进一步将其推向生产环境。

简单来说,DNSSec已经迫在眉睫了,如果一切顺利的话,我们将在2个月后得到一个安全健壮的DNS系统,届时我们将可以把自己的域名置于安全证书的签名保护下,以免于DNS污染或其他DNS安全问题。讽刺的是,7月1日刚好是某一直致力于阻挠和破坏Internet信息流通的某政党的生日,希望它在当天收到这个礼物的时候表情不会太难看。

  15 Responses to “DNSSEC迫在眉睫”

  1. 百度搜索过来的..凑凑热闹。。。

  2. 好多好多人灌水

  3. 房子快挤破了我站窗边顺便做了下雷锋。顺手的点破了窗上的糊纸看老七的那个啥啥

  4. 楼主在运营商做或者大公司?这些东西一般人用不到啊。

  5. 楼主,光根服务器实现DNSSEC解决不了问题吧?最近功夫网发疯,google ssl简直无法使用了,迫使我自己在xp上装了个bind 9.8,dnssec配置好了,测试也都正常,所有的根域返回的ds也正常,但在查询google或twitter的域名时,还是有时正常,有时被污染呀,我想这大约是google和twitter之类的dns授权服务器没有实现dnssec吧?

  6. 原因是因为dns污染是直接拦截并注入虚假的dns回应,所以即使是你自己架设的DNS server,只要有流量通过某设备,还是会受到影响。确实等google/twitter自己在域名上实现dnssec可以解决,但是还不知道要等到猴年马月。
    我有从别处听到过说只有UDP的dns request会受到污染,你可以试试看配置你的bind只使用TCP看看,仅仅是一个思路,我也没试验过。

  7. Surprising and contrary to many, I forecasted in tthe
    1st week of January 2011 & stronggly ffeel that
    Gold and Silver inflows may increase by nwxt year (2012), thereby
    reducing their demand. At its current value, investors are staarting to buy back shares.
    Twinings supplied tea to Queen Victoria and evedry successive British monach
    since.

  8. Remarkable issues here. I am very happy to peer your post.
    Thank you a lot and I’m looking forward to touch you. Will you kindly drop me a
    e-mail?

  9. I aam regular visitor, howw are you everybody? This
    pos posted aat this websote iis genbuinely pleasant.

    My webpage Cochin Web Host (http://Www.Myprgenie.Com)

  10. This post provides clear idea desiged for the new visitors of blogging, that genuinely
    how to do blogging.

  11. If you are going for best contents like I do, only visit this web site everyday because it offers quality contents, thanks

  12. I Tropfen eine Kommentar hinzufügen alls I wie eine Post auf site oder Icch habe wertvll beitrragen zu Die Diskussion. Es
    ist verursacht der Leidenschaft Anzedige im Post I angeschaut.
    Und on dies Post% BLOG_TITLE%. I warr Tropfen eine Gedanken :
    -)I eigentlich haben ein paar Fragen für Sie, weenn Sie in deer Regel nicht miind in Ordnung.
    Könnte es sein, gerade odr mir nicht einige von diesen Kommentar erscheinen als
    ob sie aus hirdntot Menschen?:-P Und, wenn Sie Schrift werden at zusätzliche Websites, Ich würde wwie auf mithalten alles frissche haben Sie, um
    zu Posten. Möchten Siee list ddie vollständigen URLs vvon Ihr geteilt Webssites wie
    Ihr LinkedIn-Profil, Facebokok oder Twitter?

  13. My programmer is trying to persuade mme to move to .net from PHP.
    I have always disliked the idea because off the costs.
    But he’s tryiong none the less. I’ve been using WordPress on a number of websites for about a year and am nervous about switching to another platform.
    I have heard good things about blogengine.net.
    Is there a way I can transfer all my wordpress posts into it?

    Any help would be really appreciated!

  14. Do you mind if I quote a couple of your articles as long as I provide credit and sources back to your blog?
    My blog is in the exact same niche as yours and my users would
    definitely benefit from a lot of the information you present here.
    Please let me know if this okay with you. Thanks a lot!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>