Skip Links

Techies end-run feds on DNS security

Authentication alternatives proliferate as U.S. delays signing of Internet root zone

By , Network World
February 23, 2009 11:27 AM ET

Network World - Forty years ago, when the U.S. government created the packet switching network that became the Internet, one of its goals was to create a robust network where traffic would be dynamically routed around blockages.

Now the Internet engineering community has developed a strategy to route around a different kind of blockage – one that is political, rather than technical – and one that has been caused by the U.S. government itself.

At issue is the deployment of security mechanisms for the Internet's Domain Name System, which matches domain names with corresponding IP addresses.

The Internet engineering community wants to deploy DNS Security Extensions (DNSSEC) to prevent hackers from hijacking Web traffic and redirecting it to bogus sites. DNSSEC uses digital signatures and public-key encryption to allow Web sites to verify their domain names and corresponding IP addresses. DNSSEC is viewed as the best way to bolster the DNS  against vulnerabilities such as the Kaminsky bug discovered this summer (and about which Dan Kaminsky spoke at last week's Black Hat event in Washington, D.C.). It's because of DNS threats like these that the U.S. government is rolling out DNSSEC across its .gov domain

Despite its efforts to deploy DNSSEC on .gov, the U.S. government is delaying widespread DNSSEC deployment by failing to cryptographically sign the 13 "root" servers that operate at the pinnacle of the Internet's hierarchical DNS. The root servers make it possible for top-level domains including .gov, .com and .net to resolve DNS requests for names registered in these domains.

Last fall, the U.S. government sought comments from industry about how best to deploy DNSSEC on the root zone, but it hasn't taken action since then. Internet policy experts anticipate further delays because the Obama Administration only this week named Gary Locke as Secretary of Commerce, a position in which he would oversee Internet addressing issues.

View slideshow on Big name techies who could influence Obama 

Meanwhile, the Internet engineering community is forging ahead with an alternative approach to allow DNSSEC deployment without the DNS root zone being signed. Known as a Trust Anchor Repository, the alternative was announced by the Internet Corporation for Assigned Names and Numbers (ICANN) last week

ICANN's Interim Trust Anchor Repository – or ITAR -- allows top-level domains such as .se for Sweden and .br for Brazil to have fully functioning DNSSEC deployments without waiting for the root zone to be signed.

ICANN officials were quick to say that their Trust Anchor Repository would be disabled as soon as the U.S. Department of Commerce requires root zone operators to deploy DNSSEC.

"The ideal scenario is that the root zone is signed," said Kim Davies, manager of root zone services for ICANN."Currently, we have a situation where the root isn't signed, which is largely a political discussion. And in the immediate future, it is not likely that we'll have a signed zone. So we're looking at what's the next best thing."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News