[Systems] Full DNSSEC for sugarlabs.org

Bernie Innocenti bernie at sugarlabs.org
Sun Apr 10 23:14:25 EDT 2011

I transferred sugarlabs.org and sugarlabs.net to name.com, which
supports installing our DS records in the .org top-level domain.

The sugarlabs.net zone can't be protected yet because the .net TLD has
not yet done its homework. For the time being, resolvers can still
verify sugarlabs.net through DLV records in dlv.isc.org.

Now that our zones can be queried in a fully secure way, the next
logical step is to use the DNS to validate SSH fingerprints, which we
already do through SSHFP records, and SSL certificates, which could be
done by implemnenting the DANE draft:


Alternatively, we could implement the Google Certificate Catalog:


Either way, we no longer need the signature of a CA, except for
compatibility with legacy browsers. Thank you, unnamed Comodo Hacker for
exposing the fundamental flaws of the CA security model.

Bernie Innocenti
Sugar Labs Infrastructure Team

More information about the Systems mailing list