U.S. gov't proposes digital signing of DNS root zone file
The U.S. government is soliciting input on a way to make the Internet's addressing system less susceptible to tampering by hackers.
Under the idea, records in the DNS (Domain Name System) root zone would be cryptographically signed using DNSSEC (Domain Name and Addressing System Security Extensions), a set of protocols that allows DNS records to carry a digital signature.
The U.S. Department of Commerce is asking for comments through Nov. 24 on how DNSSEC could best be deployed.
The root zone is the master list of where computers can go to look up an address in a particular domain such as ".com." The DNS translates Web site names, such as www.idg.com into a numerical IP (Internet Protocol) address, which is used by computers to find a Web site.
But several security problems within the DNS make it possible for hackers to supply a different IP address for a Web site. It means a user thinks she is viewing "www.idg.com" but actually is on a phishing site.
The most serious of these DNS vulnerabilities was revealed in July by security researcher Dan Kaminsky. Nearly all DNS software is vulnerable to the attack. Major vendors have deployed temporary patches but are working on a more permanent fix.
Security experts for years have advocated the adoption of DNSSEC, but implementation has been patchy. The U.S. government has said it will use DNSSEC for its ".gov" domain. Other ccTLDs (country-code Top-Level Domains) operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg), are also using DNSSEC. The operator of the ".org" TLD has also committed to the system, according to the U.S. Department of Commerce.
But to get the full benefits of DNSSEC requires domain name registrars, domain name registries, ISPs (Internet Service Providers) and others to upgrade their software. Users' systems would also have to be configured to verify digital signatures.
"DNSSEC signed root zone would represent one of most significant changes to the DNS infrastructure since it was created," according to a notice issued by the U.S. Department of Commerce in the Federal Register, a daily digest of U.S. government notices.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.













