Techies bypass feds on DNS security
- 24 February, 2009 08:17
- Comments
Forty years ago, when the US government created the packet switching network that became the Internet, one of its goals was to create a robust network where traffic would be dynamically routed around blockages.
Now the Internet engineering community has developed a strategy to route around a different kind of blockage -- one that is political, rather than technical -- and one that has been caused by the U.S. government itself.
At issue is the deployment of security mechanisms for the Internet's Domain Name System, which matches domain names with corresponding IP addresses.
The Internet engineering community wants to deploy DNS Security Extensions (DNSSEC) to prevent hackers from hijacking Web traffic and redirecting it to bogus sites. DNSSEC uses digital signatures and public-key encryption to allow Web sites to verify their domain names and corresponding IP addresses. DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered this summer (and about which Dan Kaminsky spoke at last week's Black Hat event in Washington, DC). It's because of DNS threats like these that the US government is rolling out DNSSEC across its .gov domain.
Despite its efforts to deploy DNSSEC on .gov, the US government is delaying widespread DNSSEC deployment by failing to cryptographically sign the 13 "root" servers that operate at the pinnacle of the Internet's hierarchical DNS. The root servers make it possible for top-level domains including .gov, .com and .net to resolve DNS requests for names registered in these domains.
Last year, the US government sought comments from industry about how best to deploy DNSSEC on the root zone, but it hasn't taken action since then. Internet policy experts anticipate further delays because the Obama Administration hasn't appointed a Secretary of Commerce to oversee Internet addressing issues.
Meanwhile, the Internet engineering community is forging ahead with an alternative approach to allow DNSSEC deployment without the DNS root zone being signed. Known as a Trust Anchor Repository, the alternative was announced by the Internet Corporation for Assigned Names and Numbers (ICANN) last week.
ICANN's Interim Trust Anchor Repository -- or ITAR -- allows top-level domains such as .se for Sweden and .br for Brazil to have fully functioning DNSSEC deployments without waiting for the root zone to be signed.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- Work Life Web 2011
- NetScaler 2048-bit SSL performance advantage
- Business Process Management, Service-Oriented Architecture, and Web 2.0: Business Transformation or Train Wreck?
- Enterprise Buyers Guide for Application Development Software
- Case Study: Danske Bank Group improves efficiency and reduces time to market
-
Lenovo ordered to pay €1920 for making French laptop buyer pay for Windows too
-
Wikileaks suspect to face US court-martial
-
Wikileaks suspect to face US court-martial
-
Telstra reports issue with BigPond email accounts
-
Samsung Galaxy S II Android phone
-
Computers for Seniors for Dummies, 2nd Edition
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Dummies® Dvd+book Bundle
-
Windows 7 for Seniors for Dummies®
-
MYOB Software for Dummies 6E Australian Edition
-
Microsoft Office
-
Office 2007 All-In-One Desk Reference for Dummies
-
Office 2007 for Dummies
-
Teach Yourself Visually Windows 7
Get exclusive access to Techworld news, reports & analysis. 
Comments
Post new comment