.ORG is signed

.ORG is signed

dotorgAs of 2009-06-02, at 16:00 UTC, .ORG is DNSSEC-signed. I received this news from a mailing list last week.

Public Interest Registry has announced [link here] the key-signing key (KSK) below to validate signatures on the .ORG zone:

org.			IN DNSKEY 257 3 7 (
				AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo
				dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm
				GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A
				bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t
				XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m
				x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj
				CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj
				DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU=
				) ; key id = 21366

It uses NSEC3, which is only fully-supported in Bind 9.6.1 and up.

Overall, this is good news for the DNS/Internet¬†community even though .com (the most popular TLD) may still be far. Of course the root is way farther behind, and “until the root is signed…” we have to rely on DLV.¬†ISC announced today that .ORG was inserted into DLV as of July 06, 2009, another reason to celebrate.

Note: DNSSEC (or DNS Security Extensions) adds security to the Domain Name System. It was designed to protect the Internet from certain attacks, such as DNS cache poisoning. It introduces four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC).

Comments are closed.