Happy DNSSEC Day - The Root Is Signed - Secur...

SEARCH
Security Watch
PCMAG.COM



Home
About Security Watch
Apple
DNS
Domain Issues
E-Commerce
E-Mail
Firefox
Hacking
Identity
Internet Crime
Internet Explorer
Linux/Unix
Malware
Mobile Security
Networking
News
Office
Phish
Privacy
Security Software
Servers
Social Media
Software Patches
Spam
Top Threat
Vulnerabilities
Windows 7
Windows Vista
Windows XP
Wireless
Subscribe to
Security Watch
Our FREE email newsletter delivered to your inbox. Email:
Format:  HTML Text


Never miss a story. Add our RSS Feed to your favorite feed reader.










Got a Question?
A Comment?
E-mail us!

Wednesday June 16, 2010
Happy DNSSEC Day - The Root Is Signed
Categories:
DNS,Identity,Networking,News,Phish,Security Software,Servers,Top Threat,Vulnerabilities
Tags:
dns,dnssec,iana,icann,ietf,opendns
History will be made today: In a high security data center in Culpeper, VA,the root zone of the Internet's DNS will be digitally signed, making a full implementation of DNSSEC possible.
DNSSEC is a variation of DNS in which each zone is digitally signed. This allows DNS clients to verify that DNS servers are who they purport to be. Abuses of DNS are not the most common attacks, but they are not unheard of and are among the most threatening. The ability to trust domain names is a prerequisite to almost all other security measures, and a secure DNS makes many new security measures possible.

But the design of DNSSEC is such that if the entire DNS hierarchy from the client up to the root is not signed then it doesn't really prove anything. That's what makes today's ceremony important. The root signing project hasa home page here.
Of course, this is far from the end of the project: Many TLD (top-level domains, such as .COM and .UK) zones are not signed yet, so the fact that the root is signed doesn't mean that subdomains (like pcmag.com) can be. But TLDs aren't the real problem with DNSSEC deployment. It's not hard to imagine all the major TLDs being signed by some time next year. .ORG will be completing a trial soon and VeriSign, which operated the .COM and .NET domains is expected to announce a plan for signing them soon. All that will remain are the zillions of domains and clients below them.
A few years ago I wrotea column elsewhere dismissing DNSSEC as a realistic solution because of the profound obstacles impeding it. At the time it seemed that signing the root zone was itself politically impossible, but ICANN and other responsible parties were able to alleviate concerns.
I spoke to Leslie Daigle, the Chief Internet Technology Officer at the Internet Society, which is home to the IETF, the wellspring of many important standards for the Internet. Daigle doesn't dismiss the remaining obstacles in the path of DNSSEC adoption, but points out that at least it's now possible to implement DNSSEC for real. This alone should make interest in it more serious.
If you're a large enterprise or an ISP DNSSEC is tempting in the abstract, but in implementation it means significant investment in resources for development and testing for an uncertain benefit. But the products do exist and sufficient experience has been developed to make it possible. If you're a small organization or a a home user adopting DNSSEC is not only way too much work, it's probably impossible. The products and services you rely on, from your router to your ISP, probably don't support it, and you and your consultant probably don't know thing 1 about it.
It's those bigger organizations that have to adopt it first in order for it to make sense for the great bulk of users to adopt it. In this sense it's not unlike IPv6, another long-in-the-making Internet standard will some day be necessary but is, in the meantime, too much work to be worth it for most users. But at least IPv6 has an impending crisis, the depletion of available IPv4 addresses, promising to make it more attractive. DNSSEC has no such crisis, except perhaps the next major DNS spoofing vulnerability. Previous ones have attracted lots of attention, but failed to get the kind of Y2K-like momentum necessary to bring DNSSEC to life on the Internet.
I'm sure that DNSSEC will be the default some day, just not all that soon. In fact, I may be old enough not to have to worry about it so much. Maybe it will be our kids' problem. Eventually something will make it worthwhile.
More...
Posted By: Larry Seltzer
Comments (3)
Post a Comment
Posted by:Scott
June 16, 2010 11:12 AM
Technically, this is only the key generation ceremony. The root zone will not be signed with these keys until July 15th. The root zone is currently referred to as the DURZ: Deliberately Unvalidatable Root Zone - that is, signatures are present, but there is no key publicly available.
There is more work to be done in backing up the keys (i.e. initializing the second site on the West Coast) and final procedures before the signed root zone goes live.

Posted by:larry seltzer
June 16, 2010 12:02 PM
Thank you Scott. Yes, ashttp://www.root-dnssec.org/ shows, the actual signing happens on July 15.

Posted by: David
June 16, 2010 1:03 PM
VeriSign is working closely with ICANN and the DoC on the root zone deployment and signing on July 15. In addition, VeriSign will sign the .edu domain in July, .net by fourth quarter 2010, and .com by first quarter 2011. More information on VeriSign's DNSSEC plans are available here:http://www.verisign.com/domain-name-services/domain-information-center/dnssec-resource-center/index.html

* = required Name:*
Email Address:*
Your URL: (optional)
Remember Me?
Comments:* (you may use HTML tags for style)
Please keep your comments on topic. Intelligent, thoughtful comments and questions are appreciated. Comments that contain personal attacks or profanity may be edited or removed. Comments containing personal information such as phone numbers, credit card numbers, or addresses may be edited or removed. Comments with advertisements will be removed.


What's this?Australian Based Hosting
Great value web hosting for less than $6 per month. Uptime guarantee
www.nclhosting.com

Ziff Davis Home |Contact Us |Advertise |Link to Us |Newsletters |RSS Feeds |Ziff Davis International
Digital Edition Customer Service |Subscribe to PCMag Digital Edition |Reprints
AppScout |Cranky Geeks |DigitalLife |DL.TV |ExtremeTech |GearLog |GoodCleanTech |PC Magazine |PCMagCasts |Security Watch |Smart Device Central |TechSaver
AppScout Mobile |Gearlog Mobile |GoodCleanTech Mobile |PCMag.com Mobile
Privacy Policy |Terms of Service |Linking Policy |Contact Us
Copyright © 1996-2010 Ziff Davis, Inc. All Rights Reserved. Ziff Davis, the Ziff Davis logo and Security Watch are registered trademarks of Ziff Davis, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, Inc. is prohibited.