Skip Links

DNS security reaches 'key' milestone

Virginia event is precursor to DNSSEC roll-out on the root zone

By , Network World
June 16, 2010 09:20 AM ET

Network World - The dream of bolting security onto the Internet's Domain Name System takes one step closer to reality Wednesday as Internet policymakers host a ceremony in northern Virginia to generate and store the first cryptographic key that will be used to secure the Internet's root zone.

This key ceremony is one of the final steps in the deployment of DNS Security Extensions (DNSSEC) on the Internet's root zone. DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

80% of government Web sites miss DNS security deadline

"The key ceremony will generate the master root key, the key that signs all the other keys," explains Ken Silva, CTO of VeriSign, which operates two of the Internet's 13 root servers along with the back-end systems that power the .com and .net top-level domains. "This is being done a month before the actual roll-out of DNSSEC so that we have a valid key and that we can test with it."

DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is widely deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

Today's key ceremony is being hosted by the Internet Corporation for Assigned Names and Numbers (ICANN) in a secure data center in Culpeper, Va., outside of Washington, D.C. A similar key ceremony will take place in Los Angeles in early July.

The key ceremony will demonstrate the set of procedures that the Internet engineering community has created to generate and store keys for the root zone in a secure way. Attendees will include ICANN staff and DNS experts from around the world. The key generation and storage process will be audited.

"People from all over the world will be part of the process of creating the key for the top level of the DNS," explains Steve Crocker, an Internet security expert and CEO of Shinkuro. "They will witness and be able to report that the proper procedure was carried fairly and scrupulously."

The two key ceremonies are among the last steps before production-scale deployment of DNSSEC on the root zone, which is scheduled for July 15.

Between now and July 15, the root server operators will conduct additional testing of DNSSEC.

"We're testing as many possible corner cases that we can imagine," Silva says. "We're trying to test every permutation of key sizes, key roll-over, key expiration and all those kinds of issues. We're testing to see how the system responds and whether our monitors and detection can catch those sorts of things."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News