DNS Gains Added Security with Root Servers Signed With DNSSEC
The deployment of DNS Security Extensions (DNSSEC) and internet security took a major step forward this week when the root zone was digitally signed for the first time. This marked the deployment of the DNSSEC at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers.
The move to sign the DNS root servers follows the move by TLDs who have announced they have signed their individual zones. These include .ORG and .EU (European Union) at the recent ICANN meeting in Brussels and .CH (Switzerland) earlier this year, among others.
The DNS Security Extensions, DNSSEC, extends standard domain name security to prove data came from an authoritative source and has not been modified, thwarting the so called ‘man-in-the-middle attack’ and enabling the development of more secure internet applications and transaction processing, said the Internet Systems Consortium, who operates the largest of the 13 DNS root servers (F-root), in a statement. DNSSEC adds new resource records and message header bits which can be used to verify that the received DNS data matches the original data, and has not been altered in transit.
Paul Vixie, President and CEO of ISC stated, “We are very happy with today’s achievement! The signing of the root is the catalyst needed for further deployment of DNSSEC, particularly in the TLD registries.”
“ISC has been intimately involved with the development of DNSSEC for more than fourteen years and we have been unwavering advocates of DNSSEC deployment. We applaud the efforts of ICANN and the Department of Commerce in achieving this momentous milestone and encourage other DNS data providers to do the same.”
Original announcement available here.