ICANN, Verisign place last puzzle pieces in DNSSEC saga

The industry bodies responsible for the root servers that underpin the Internet have claimed success in implementing its DNS Security Extensions (DNSSEC) to the last clusters. The deployment is the final step before implementing the security required to prevent DNS cache poisoning attacks on Internet addresses.

Six deployments in total were made to the Internet's 13 root server clusters, beginning 27 January this year, with the final root server dubbed "J-Root" receiving the fix between 5pm and 7pm UTC on 5 May (3am-5am AEST on 6 May). The fix enables the cluster to begin serving a Deliberately Unvalidatable Root Zone (DURZ), which would eventually enable the ability to serve signed addresses.

The industry bodies involved, ICANN and Verisign, expect to distribute signed keys through the servers on 1 July.

According to a post on the Root DNSSEC website, "no harmful effects have been identified" following the transition.

The move toward extra security for DNS root servers comes two years after renowned security expert, Dan Kaminsky, exposed flaws in the DNS system, allowing would-be hackers to divert top-level domains to another IP address instead of the intended one. While network engineers rushed to patch their servers against the expert's proof-of-concept Kaminsky bug in the year following its exposure, the short-term patch did not fully resolve the issue around DNS cache poisoning.

The security flaw potentially allows hackers to redirect browsers to another IP address when a domain name is entered, as well as possibly subverting email as well, according to some security professionals.

A DNS Working Group meeting to be held in Prague this week will be used to make and discuss any initial observations and potential problems surrounding the transition.

Despite some media warning of potential melt-downs surrounding the DNSSEC deployment, outspoken Internode network engineer, Mark Newtown, said that any problems would most likely be due to ageing firewalls and modems.

"Please understand that it's possible that any problems you experience may be caused by deficiencies in your own equipment," he said in an entry on Internode's blog. "Although it's very unlikely, it remains possible that you'll need to purchase a new firewall or a new ADSL modem after May 5th if your current equipment is old enough to have problems which haven't been fixed by the vendor because they're no longer offering support for your product.

"The overwhelming majority of our customers won't notice anything on May 5th, but the difference behind the scenes will be considerable. DNSSEC is undergoing a phased rollout and it won't be ready for full use for a couple of years, but when the work is complete the security of the Internet infrastructure will be vastly improved."

Major Australian ISPs have all announced compatibility with DNSSEC certification, which sees an increase in the size of individual packets in network traffic from 512 bytes to 2 kilobytes. These packets are transmitted over the TCP protocol rather than the UDP transport layer.

However, many top-level domains are yet to commit to DNSSEC signatures. Global top-level domains like .org and .edu are expected to comply by June, with .net in December. Verisign has said it will ensure the most popular domain, .com, is signed under DNSSEC regulations by March next year.

The organisation responsible for top-level Australian domans, auDA, was not available for comment at time of writing.

ISP Australia Online provides a quick DNSSEC test, enabling users to determine whether local equipment may have been affected.

This story, "ICANN, Verisign place last puzzle pieces in DNSSEC saga" was originally published by Computerworld Australia.

Join the discussion
Be the first to comment on this article. Our Commenting Policies