Preparations for securing the domain name system root zone using the DNS Security Extensions (DNSSEC ) protocol are entering a key phase. At the 76th meeting of the Internet Engineering Task Force (IETF) in Hiroshima, the design team from VeriSign, the internet administration authority ICANN and the US NTIA presented the strict security conditions under which the various keys required will be generated, held and renewed. IETF developers expressed concern about the lack of channels for both explaining the DNSSEC rollout, scheduled to commence in January, to ISPs and for collecting reports of anything untoward from the ISPs.
In October, ICANN and VeriSign surprised many observers with their proposed timetable for DNSSEC root zone signing. Signatures will be used internally from as early as 1st December and the first root server will serve the zone to the outside world from January. Cryptographically secured DNSSEC signatures are intended to prevent DNS information from being changed en-route from sender to recipient. If a response comes from the wrong domain, this will be revealed by checking private against public keys.
The link for this article located at H Security is no longer available.
