DNS root zone getting DNSSEC
The root zone for the Internet Domain Name System will finally implement DNSSEC. This follows the commitment last year from the folks running the .org top-level domain to implement DNSSEC for all .org domains.
This is an important move to mitigate the worst vulnerabilities in DNS. As I presented recently, design flaws in the DNS protocol make it impossible to prevent attackers from spoofing DNS records, among other vulnerabilities.
DNSSEC signs responses from DNS servers, making it possible to detect fake records. However, DNSSEC is only trustworthy if the tree is signed from the root on down. ICANN has a summary of the issues here: DNSSEC – What Is It and Why Is It Important?
Signing of the root zone has been delayed by political issues… what organization would be trusted with owning the root key, whether it would be distrusted by other nations or abused because of the U.S. origins and other issues.
Ironically, due to the complexities of all the crypto code needed to support this we’ll probably see more vulnerabilities in DNS server software… at least in the short term. As the history of OpenSSL and other crypto libraries demonstrates, implementing crypto code is difficult to get right. Slapping crypto onto existing software initially makes it more exploitable, not less.
Related posts: