Internet takes DNSSEC on board
Root servers get assigned security standard
By Maxwell Cooter | Techworld | Published: 09:00, 15 July 2010
The Internet is set to get a whole lot safer, the security standard DNSSEC is set to be assigned to the Internet's 13 root servers from later today.
It makes the end of a long trail; DNSSEC has been some years in its implementation yet has still failed to penetrate the wider market, despite the efforts of IETF, the Internet registries and the US government.
Naming registry ICANN has been working with Verisign and the US department of commerce for some time to make DNSSEC a more integrated part of the Internet infrastructure. ICANN's DNS director, Joe Abley, said that the rollout of DNSSEC to the root servers had been a long one. "We Started rolling it since January - it's a slow rollout,. We've taken 6 months to do this - it's not like in enterprises where you trial something and go live next week.
Related Articles on Techworld
According to Daniel Karrenberg, chief scientist with European regional Internet registry RIPE-NCC, the assignation of DNSSEC to the root servers is going to take away a considerable burden from ISPs as it will eliminate a big maintenance headache. "Once DNSEC is assigned to the root servers, there's no longer any need for ISPs to do any configuration, they'll be able to verify DNS right from the top," he said. With this technology, Internet users will be able type a website address and be confident that the website being displayed is coming from an authorised server. He warned that the average users wouldn't notice much difference "There'll be no padlocks suddenly appearing on browsers, or anything like that," he said but he added that life should now be easier for service providers and T departments.
Both Abley and Karrenberg warned that it might not be plain sailing. "Anytime you make a change to an established system, it's been well understood – there's an instilled knowledge how this will work, "said Abley. "With something new, you always get a risk - we're trying to manage that risk"
The DNSSEC move doesn't mean that the Internet is automatically secure said Kevin Hogan, director at Symantec Security Response. "It's a start and a very big start. However, any expectation that this milestone marks the date that the Internet suddenly becomes safe is exaggerated. To be effective, DNSSEC needs to be implemented down the whole DNS chain, from the root down to your ISP or company, so there are still many more milestones to be achieved before DNSSEC can achieve some of its promise, even if cyber criminals don't identify ways around the signed response safeguard," he said.