DNSSEC in Higher Education — 1% isn’t enough

Institutions of higher education throughout the world have been key advocates of Internet technologies.  The .EDU gTLD is signed, however, a recent survey of .EDU  names shows that only about one percent are signed.  While this is a greater than the Internet as a whole, it is far less than TLDs that are requiring or otherwise strongly advocating DNSSEC.

On the pedestrian side, colleges and universities present a microcosm of the Internet as a whole, replete with cyber attacks, some of which could prevented by a combination of DNSSEC signing and validation.  On the academic side, DNSSEC adds to the authenticity of the academic work product.

If you teach at, work at, attend, or attended any of the following, congratulations — your school is signed:

acadiana.edu baker.edu berkeley.edu
bucknell.edu carnegiemellon.edu cltc.edu
cmu.edu coloradomesa.edu csupomona.edu
cuhk.edu desales.edu fhsu.edu
fhtc.edu gtc.edu hfg.edu
highlands.edu indiana.edu indianatech.edu
internet2.edu iu.edu iub.edu
iupui.edu jhuapl.edu kestrel.edu
lctcs.edu lsu.edu ltc.edu
ma.edu mesa.edu mesastate.edu
millikin.edu minnesota.edu monmouth.edu
mst.edu myneltc.edu nau.edu
northcentral.edu northshorecollege.edu nwltc.edu
oxford-university.edu pacificu.edu penn.edu
psc.edu richland.edu rockefeller.edu
scl.edu sdsmt.edu southern.edu
suu.edu tilburguniversity.edu tiss.edu
truman.edu ualr.edu ucaid.edu
ucb.edu ucberkeley.edu uccv.edu
ucr.edu uiowa.edu umbc.edu
uni-stuttgart.edu upenn.edu upf.edu
valencia.edu washjeff.edu weber.edu

We’re sorry if your school is signed and we missed it.  Our survey was limited to the .EDU gTLD.  We know that many schools outside of the US are under their countries’ academic second-level domains or directly under their countries’ ccTLDs.  If your school isn’t signed,  DNSSEC resources tailored to Higher Education are published by:

  • EDUCAUSE, the nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology, manages the .EDU TLD and worked to get it signed.   They have a collection of resources for their members and others throughout the Internet.
  • Internet2, the advanced networking consortium led by the U.S. research and education community, is also supporting DNSSEC within its membership.  They have a DNS SIG.

The DNSSEC Deployment Initiative is ready to help.  Contact us at info @ dnssec-deployment.org to discuss DNSSEC presentations for conferences and meetings.



, , ,

  1. #1 by Viktor Dukhovni on May 2, 2017 - 20:05

    For the record, the truman.edu DNSSEC zone is handled by nameservers that don’t conform to the specification, which leads to interoperability issues with DANE-TLSA-enabled SMTP senders.

    The data below was captured some time ago, for the most recent results see: http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/dnssec/

    The nameserver for truman.edu returns a very slightly different (and thus invalid) signature for the same SOA record in negative replies than it does for a direct SOA query.

    ;truman.edu. IN SOA
    truman.edu. SOA ns3.truman.edu. dns-alerts.truman.edu. 2065422032 3600 900 1209600 3600
    truman.edu. RRSIG SOA 5 2 3600 20160906050001 20160807050001 17523 truman.edu. B6Qfu3gkP6P8hzMOrCiCTorxzdBdNny7q5cKAZp9U1HeVEazjfA30v26lyTvqs4TwiJ/jCuwUP62uSCJOGegz84dGWrvYImMoDLrP/jE4EjeWs8ppf1C0ouOw+XAH3fdXDdc34TuQH0gNpNRnI63bFf8Huegq/12gKH+gF+1Mog=

    ;_25._tcp.barracuda.truman.edu. IN TLSA
    truman.edu. SOA ns3.truman.edu. dns-alerts.truman.edu. 2065422032 3600 900 1209600 3600
    truman.edu. RRSIG SOA 5 2 3600 20160906050001 20160807050001 17523 truman.edu. B6Qfu3gkP6P8hzMOrCiCTorxzdBdNny7q5cKAZp9U1HeVEazjfA30v26lyTvqs4TwiJ/jCuwUP62uSCJOGegz84dGWrvYImMoDLrP/jE4EjeWs8ppf1C0ouOw+XAH3fdXDdc34TuQH0gNpNRnI63bFf8Huegq/12gKH+gAAAAlg=

    These signatures differ only in the final 8 base64 encoded characters:


    which decode to:

    80 5f b5 32 88
    80 00 00 02 58

    thus the mysterious damage is in the final 32 bits of the signature.

(will not be published)