DNS security adoption boosted by root zone key

Domain Name Server Security Extensions should make the internet a safer place

Today sees the publication of the internet root zone key, the culmination of almost two decades of work and the catalyst for widespread deployment of the Domain Name Server Security Extensions (DNSSec) protocol designed to secure the infrastructure of the internet.

DNSSec uses digital signatures to verify with the internet's name servers that the DNS data being sent to them is authentic. Such a system could help avoid man-in-the-middle phishing and other DNS-related attacks.

While many Top Level Domain (TLD) organisations have already signed their individual zones, the significance of today's announcement is that it will remove many of the administrative barriers that have hindered deployment thus far, according to Daniel Karrenberg, chief scientist at regional internet registry the RIPE NCC.

"Until now, DNS users - ISPs running DNS for their customers or IT departments running DNS for internal customers - have had to keep track of DNSSec key information for every TLD," he explained. "Now it's all automated so they just need to turn it on in their name server software."

However, the spread of DNSSec does not mean that the internet is now miraculously safe, Karrenberg warned.

"It is significant because it will lead to a tremendous increase in confidence, but it's one piece of making the internet more secure," he said.

Kevin Hogan, senior director at Symantec Security Response, added that, while it is a "big start", there remains some way to go in its implementation.

"To be effective, DNSSec needs to be implemented down the whole DNS chain, from the root down to your ISP or company, so there are still many more milestones to be achieved before DNSSec can achieve some of its promise, even if cyber criminals don't identify ways around the signed response safeguard," he said.

But Karrenberg is optimistic that the signing of the root zone will remove the previous administrative burden preventing TLDs and DNS customers from implementing DNSSec.

"Now it is signed there should be no impediment for any TLDs or the whole DNS industry to adopt DNSSec," he said. "A lot of TLDs are already signed but there are quite a lot that haven't, so I now expect them to make that move."