On Wednesday (5th May) the last of the 13 authoritative root servers for the domain name system switched over to the DNS Security Extensions (DNSSEC) security protocol. DNSSEC is intended to prevent DNS exploits such as cache poisoning. All 13 root servers are now serving a signed version of the root zone. However, it is not possible to validate these signatures at present as the public key remains undisclosed.
This precautionary measure is intended to ensure that for the time being it remains possible to switch back to an unsigned root zone, should the need arise.

There have been no reports of any problems in the immediate aftermath of VeriSign's J root server starting to serve DNSSEC signatures. Experts at the 60th RIPE meeting in Prague were almost unanimous in predicting a glitch-free switchover, following the successful switchovers of the other 12 root servers in recent months. The only apocalyptic note was sounded by a countdown to the demise of the unsigned root zone.

Yesterday's changeover does mean the .root zone is now dead. VeriSign, which operated the master server for the root zone, has for several years used a single entry under .root, that served the purpose of checking that the bulky root zone had been transferred. According to Jaap Akkerhuis, a DNS expert at nl.netLabs, the creation of the .root entry was prompted by a complete outage of the .com zone following a data transfer error. Rigid DNSSEC procedures render this trick for root servers operated by VeriSign and the Internet Corporation for Assigned Names and Numbers (ICANN) obsolete.

The link for this article located at H Security is no longer available.