The 13 globally distributed server clusters -- known within Internet engineering circles as the Root Zone – will begin cryptographically signing DNS look-ups today.
The Root Zone is gaining an added layer of protection from hackers through the deployment of DNS Security Extensions (DNSSEC). This emerging Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.
Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
Proponents of DNSSEC hope that having the Root Zone cryptographically signed will create a domino effect, prompting operators of top-level domains and individual Web sites to deploy the security standard on the pieces of the Internet infrastructure that they control.
Several top-level domains have already deployed DNSSEC and are ready to start signing transactions at their level. These include The Public Interest Registry's .org, Sweden's .se, the United Kingdom's .uk, Brazil's .br and the Czech Republic's .cz.
The U.S. federal government also is in the midst of deploying DNSSEC on all .gov Web sites.
Next up for DNSSEC support are .edu, which will be signed in July, .net which will be signed in November, and .com which will be signed in March 2011 – all being enabled by VeriSign.
After these top-level domains are signed, companies can deploy DNSSEC to protect all of their Web sites that use these extensions.
"Once .com is signed, then I think you're going to have that rush of adoption," says Sean Leach, CTO of Name.com, a domain name registrar. "Right now we see the early adopters. Most of them have DNS servers set up, and they are testing how to upload their keys and push them into the registry…I see a lot of banks, and I see a lot of the e-commerce companies that are all in that wait-and-see mode."
Leach says that he has dozens of customers who are testing DNSSEC out of the 1 million names that his company has registered. "Most of the DNSSEC requests we see are in .org, but we also see a lot in .se," Leach says.
But until DNSSEC is widely deployed from the top to the bottom of the DNS hierarchy, Web sites remain vulnerable to Kaminsky-style attacks.
"One of the problems with DNSSEC is that it requires all of the Internet ecosystem – from the DNS servers to the end user's software – to have it deployed or it loses its usefulness," says Rodney Joffe, founder and chairman of UltraDNS, a division of NeuStar that provides managed DNS services. "We still don't have many registrars with the ability to sign domains….Until you start seeing applications on the desktop enabled with DNSSEC, it’s still some time away."