U.S. gov't proposes digital signing of DNS root zone file

by Jeremy Kirk
Be the first to comment | I like it!
Tags: DNS, internet security
More »
on this topic
October 10, 2008, 10:11 AM —  IDG News Service — 

The U.S. government is soliciting input on a way to make the Internet's addressing system less susceptible to tampering by hackers.

Under the idea, records in the DNS (Domain Name System) root zone would be cryptographically signed using DNSSEC (Domain Name and Addressing System Security Extensions), a set of protocols that allows DNS records to carry a digital signature.

The U.S. Department of Commerce is asking for comments through Nov. 24 on how DNSSEC could best be deployed.

The root zone is the master list of where computers can go to look up an address in a particular domain such as ".com." The DNS translates Web site names, such as www.idg.com into a numerical IP (Internet Protocol) address, which is used by computers to find a Web site.

But several security problems within the DNS make it possible for hackers to supply a different IP address for a Web site. It means a user thinks she is viewing "www.idg.com" but actually is on a phishing site.

The most serious of these DNS vulnerabilities was revealed in July by security researcher Dan Kaminsky. Nearly all DNS software is vulnerable to the attack. Major vendors have deployed temporary patches but are working on a more permanent fix.

Security experts for years have advocated the adoption of DNSSEC, but implementation has been patchy. The U.S. government has said it will use DNSSEC for its ".gov" domain. Other ccTLDs (country-code Top-Level Domains) operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg), are also using DNSSEC. The operator of the ".org" TLD has also committed to the system, according to the U.S. Department of Commerce.

But to get the full benefits of DNSSEC requires domain name registrars, domain name registries, ISPs (Internet Service Providers) and others to upgrade their software. Users' systems would also have to be configured to verify digital signatures.

"DNSSEC signed root zone would represent one of most significant changes to the DNS infrastructure since it was created," according to a notice issued by the U.S. Department of Commerce in the Federal Register, a daily digest of U.S. government notices.

Implementing DNSSEC would also introduce new steps in how changes to the root zone are published. As it stands now, TLD operators send changes to the Internet Assigned Numbers Authority, which is part of the Internet Corporation for Assigned Names and Numbers. ICANN then sends the changes to the U.S. National Telecommunications and Information Administration, which is part of the U.S. Department of Commerce. After approval, VeriSign -- a commercial company -- modifies the root file and sends it to the operators of the 13 root servers around the world.

The heavy involvement of the U.S. government, as well as the interests of VeriSign, in how the Internet's addressing system is administered has drawn criticism that the process is too U.S.-centric.

And there appears to be a battle brewing over which entity will manage the cryptographic keys required to sign the root zone file.

ICANN has submitted a proposal advocating it should hold the keys. ICANN said it is a nonprofit, transparent organization that is "not subject to market-based profit and loss considerations."

VeriSign countered in its proposal that it should be able to hold one kind of key necessary for the signing process, and the other kind should be split amongst other entities.

IDG News Service

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Build your tech library with our book giveaways.

Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne

The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace