|ICANN announces plans to implement DNSSEC for internet's "root zone"|
| 9:52 am on Jun 5, 2009 (gmt 0)|
From ICANN [icann.org]:
|" We’ve been working towards a signed root for more than three years. In fact, ICANN has operated a root zone signing test bed for more than two years. So ICANN is aware of the urgency around signing the root to enhance stability and security" Paul Twomey, President and CEO of ICANN said. |
"ICANN has agreed to work with VeriSign and the Department of Commerce to first test, and then have production deployment of DNS Security Extensions (DNSSEC) as soon as feasible without prejudice to any proposals that may be made for long term signing processes" (...)
More about ICANN's implementation of DNSSEC here: DNSSEC – What Is It and Why Is It Important? [icann.org]
|DNSSEC is a technology that was developed to, among other things, protect against such attacks by digitally 'signing' data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall process. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit. |
| 2:28 pm on Jun 6, 2009 (gmt 0)|
From your second link there is a PDF survey in the footnotes that is an interesting read as well.
|If you have not implemented DNSSEC, do you plan to? |
Many of the registries who replied "No" mentioned that although the registry doesn't plan implementing DNSSEC at the moment, they know it is important and that it will probably happen at some point in the future. Some of them also mentioned that some existing problems first need to be solved – such as Zone Walking, or having an IETF standard developed. A few also stated they don't see a point in implementing DNSSEC as long as the root has not been signed.
Those that have implemented DNSSEC were asked to please briefly describe the technical environment used:
|A summarising overview shows that some were doing fully manual signing, however most had developed systems to help sign their zones. |
So the process can be automated by the sounds of it. Could one assume that there should be no additional expenses upon full implementation of DNSSEC?
| 6:35 pm on Jun 6, 2009 (gmt 0)|
I couldn't answer for the expense involved, I doubt it's negligible but I also doubt it is overly onerous either, especially compared to the costs of not implementing a more secure DNS solution. The fundamentals of the current DNS system remain intact. The raison-d'ętre of DNSSEC is simply the use of digital signatures (not to be confused with encryption) which enable users to authenticate the data against a public key, rather than the current open architecture. DNSSEC is a leap forward in preventing problems such as DNS cache poisoning. The whole process can be automated, and many registries are already implementing DNSSEC to create a chain of trust from the root up, via the registries, to the client.
The news that ICANN are moving towards DNSSEC for the root zone follows announcements by PIR regarding the successful implementation of DNSSEC for the .org registry:
.ORG is the First Open Top-Level Domain to be Signed with Domain Name Security Extensions [pir.org]
|Today, .ORG (...) is the first open generic Top-Level Domain to successfully sign the .ORG zone file with Domain Name Security Extensions (DNSSEC). To date, the .ORG zone is the largest domain registry to implement the security measure. |
"We feel that implementing DNSSEC is a fundamental step in the upgrade of Internet security and stability," says Alexa Raad, CEO of .ORG, The Public Interest Registry. "With continuing growth of the Internet and the increasing number of applications depending on the DNS, this is a critical step in the evolution of the Internet."
A good site to read up about DNSSEC is the DNSSEC Deployment Initiative [dnssec-deployment.org].
| 7:17 pm on Jun 6, 2009 (gmt 0)|
|and many registries are already implementing DNSSEC to create a chain of trust from the root up, via the registries |
Precisely. This is where I was wondering if this was going to be something we would need to be concerned about during domain registration. I don't think so. Expenses look negligible to me, from the quoted responses in the same pdf survey mentioned earlier at least.