Tuesday, July 20, 2010

DNSSEC Now Fully Deployed on the Internet Root

Via GCN.com -

Operators of the Internet’s authoritative root zone last week completed deployment of enhanced security protocols at the top level of the Domain Name System.

The Internet’s 13 root zone DNS servers have been digitally signed using the DNS Security Extensions (DNSSEC) since May. On July 15 the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests.

To be fully effective DNSSEC must be deployed throughout the Internet’s domains, but the publication of the trust anchor for the Internet root means it now is possible to begin linking together the “islands of trust” that have been created by the deployment of DNSSEC in isolated domains, such as .gov and .org.


DNSSEC provides a layer of security in the Internet by using cryptographic digital signatures to authenticate responses to DNS queries. The effort by NTIA, VeriSign and the Internet Corp. for Assigned Names and Numbers to deploy DNSSEC in the root zone has been called the biggest structural improvement to the DNS in 20 years.

Digitally signed responses to DNS queries that can be cryptographically validated are more difficult to spoof or manipulate. This can help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware.

No comments:

Post a Comment