DNSSEC Now Deployed in Root DNS

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The root zone of the Internet's DNS has now been digitally signed for DNSSEC . The signing marks a major milestone in the history of Internet security, for the first time providing a secured root of DNS information.

With DNSSEC, the information integrity of DNS -- the technology that helps to routes domain name traffic to IP addresses -- can be secured, limiting the risk of DNS spoofing attacks and mitigating a key threat to the Internet at large.

"The milestone is crucial because it means that administrators of recursive name servers -- the servers that look up Internet addresses using data from the Domain Name System (DNS) -- can in most cases enable validation of DNS data by configuring just the root's public key," Ken Silva, senior vice president and chief technology officer at VeriSign, told InternetNews.com. VeriSign assists with the management of the root zone under a cooperative agreement with the U.S. Department of Commerce and provided testing and implementations for the deployment of DNSSEC in the Authoritative Root Zone, Silva said.

"With the signed root zone now available, DNS server administrators the world over can begin to do their part in the next phase of DNSSEC deployment," he added.

DNS security became a critical issue two years ago when security researcher Dan Kaminsky disclosed security risks to the Internet's DNS infrastructure. The DNS weaknesses could potentially have been leveraged by attackers to disrupt the Internet's operation by spoofing DNS information and misdirecting Internet users' traffic.

In response, Internet authorities and stakeholders stepped up efforts to better secure the Net's key infrastructure, chief among which is the effort to promote and support DNSSEC. The root zone's DNSSEC signing was completed on July 15, in the second phase of a key-signing process that began in mid-June with the production of the cryptographic key use to secure the root zone.

"The root zone signing is the culmination of months of preparation, testing and deployment by ICANN, the U.S. Department of Commerce, VeriSign and the root server operators," Silva said. "The root zone is now fully DNSSEC-enabled. Operators of DNS resolvers are able to configure their servers to query root servers requesting DNSSEC-signed responses, then validate that the responses originated from an authoritative source and the response has not been modified."

"The collaborative, methodical approach to successfully complete deployment of DNSSEC in the root has been designed to minimize the potential for unexpected functional or performance issues," he added. "Performance has been monitored closely by VeriSign and other root operators throughout this process, which began in January 2010 with the deployment of a Deliberately Unvalidatable Root Zone and culminated on July 15 with the root zone signing. Additionally, a Root Scaling Study team was formed to report on the impact of several changes in the root zone, including DNSSEC."

In addition to assisting with the testing and deployment of DNSSEC in the root zone, VeriSign also works to ensure the performance of DNS. The company is currently engaged in a $300 million effort called Project Apollo that's aimed at improving and scaling DNS infrastructure.

Moving forward, domain name registries will also need to secure themselves with DNSSEC. Among the big top-level domains (TLDs),the .org registry is the only that is currently set up for DNSSEC. The VeriSign-operated .com and .net registries are currently in the process of deploying DNSSEC in an process that Silva said is on schedule for late this year and early next year.

"Signing the root zone is an important step in our incremental approach to implementing DNSSEC," Silva said. "We are currently working with our .com and .net registrars to complete preparations for signing .net in Q4 2010 followed by .com in Q1 2011. As we progress through our deployment schedule, we continue to apply the lessons learned from our DNSSEC implementations, provide technical assistance and tools to assist registrars with their implementations, and enable testing with a number of infrastructure providers in our DNSSEC Interoperability Lab."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.