June 16, 2010, 10:36 AM — The dream of bolting security onto the Internet's Domain Name System takes one step closer to reality Wednesday as Internet policymakers host a ceremony in northern Virginia to generate and store the first cryptographic key that will be used to secure the Internet's root zone.
This key ceremony is one of the final steps in the deployment of DNS Security Extensions (DNSSEC) on the Internet's root zone. DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
"The key ceremony will generate the master root key, the key that signs all the other keys," explains Ken Silva, CTO of VeriSign, which operates two of the Internet's 13 root servers along with the back-end systems that power the .com and .net top-level domains. "This is being done a month before the actual roll-out of DNSSEC so that we have a valid key and that we can test with it."
DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.
Once it is widely deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
Today's key ceremony is being hosted by the Internet Corporation for Assigned Names and Numbers (ICANN) in a secure data center in Culpeper, Va., outside of Washington, D.C. A similar key ceremony will take place in Los Angeles in early July.
The key ceremony will demonstrate the set of procedures that the Internet engineering community has created to generate and store keys for the root zone in a secure way. Attendees will include ICANN staff and DNS experts from around the world. The key generation and storage process will be audited.