DNSSEC finally on the move

It looks like DNSSEC is breing implemented at the root level world-wide. Almost 2 years after the first country level signing ( .se for Sweden ), the K-, D- and E-root servers operated by RIPE, University of Maryland and NASA respectively, started root signing this week past. 7 of the 13 root servers now supply DNS record signing.

The DNS Security Extensions protocol, called DNSSEC in short, is designed to provide improved DNS security. DNSSEC uses cryptographic signatures to authenticate the responses to DNS queries, which will prevent attackers from forging responses via security holes in the DNS protocol, such as those described by Dan Kaminski (cache poisoning). With this protocol, responses to DNS queries are only accepted as authentic if a public key can be matched with a private key. However, signatures can’t be validated during the introductory phase. As a result, initially it will be unlikely that users notice the introduction of DNSSEC on the RIPE root server. While the response packets containing the signatures will be significantly larger, experts say that this doesn’t present a problem if the respective resolvers are implemented correctly. For the time being, users will also still be able to access one of the remaining 6 root servers without DNSSEC. ICANN, VeriSign and the NTIA decided on this gradual transition as a precautionary measure.

Personally I think this has been a long time coming. I had an excellent 2-day training course on DNSSEC with BIND a year ago ( courtesy of coza/Uniforum ) and it’s good to see the hard work of many engineers coming to fruition. Considering the amount of negativity as recently as a year ago, especially from the commercial root server operators ( read Verisign and co. ), it’s great to see DNSSEC in action.