DNSSEC Key Signing Designed to Make the Internet More Secure
A critical milestone in the history of Internet security happened this week at a "key signing" ceremony. Are we all now safer as a result?
At long last, DNS, which performs a critical role in Internet infrastructure, is finally set to be secured with DNSSEC. DNSSEC provides a cryptographically secure mechanism for DNS information and is set to be implemented in the root zone of the Internet this year.
A Key-Signing-Key (KSK) ceremony was held this week at a secure datacenter in Virginia to produce the cryptographic key that will be used to secure the root zone of Internet DNS.
"This is an important milestone for the deployment of the Internet," Howard Eland, senior director of Content Propagation & Resolution for Afilias, told InternetNews.com.
Afilias operates a number of domain registries including the .org Top Level Domain. Robert Seastrom, an Affilias employee, had a "key" role to play in the KSK ceremony. Eland noted that Seastrom, was selected by ICANN to serve as one of twenty-one Trusted Community Representative (TCRs) to participate in the KSK process. The role of the TCR is to participate in the key generation, key backup and key signing process for the Root to ensure its neutrality and security. ICANN is the Internet Corporation for Assigned Names and Numbers.
"The key signing event was an important milestone in the root deployment of DNSSEC, because this ceremony created the keys needed to actually sign the zone on July 15th," Eland said. "On July 15th, validating resolvers will be able to use these keys to verify that response from the root came from the root servers."
DNSSEC has become increasingly important in light of the Kaminsky DNS vulnerability which was disclosed in 2008. That flaw exposed vulnerability in the DNS system which could have destroyed the viability of the current Internet system for routing domain name information and Web traffic. DNSSEC when fully implemented will mitigate the risk by providing additional security for DNS information to ensure its authenticity.
While the root zone of the Internet is on the verge of being ready for DNSSEC with the KSK ceremony, there is still much work to be done. The actual domain registries still need to complete their respective DNSSEC efforts.
Work on DNSSEC for .org has been going since 2008 with completion expected this year. The .com and .net Top Level Domains are set to be secured by DNSSEC in 2011.
"The major work so far has been done on the infrastructure side among Root and TLD operators enabling DNSSEC," said Eland. "What really has to happen now is for ISPs, application providers and enterprises to embrace DNSSEC either to secure their own infrastructure, or to look at how they can use it in new services to improve end user security."