Techies bypass feds on DNS security

Authentication alternatives proliferate as US delays signing of Internet root zone

Forty years ago, when the US government created the packet switching network that became the Internet, one of its goals was to create a robust network where traffic would be dynamically routed around blockages.

Now the Internet engineering community has developed a strategy to route around a different kind of blockage -- one that is political, rather than technical -- and one that has been caused by the U.S. government itself.

At issue is the deployment of security mechanisms for the Internet's Domain Name System, which matches domain names with corresponding IP addresses.

The Internet engineering community wants to deploy DNS Security Extensions (DNSSEC) to prevent hackers from hijacking Web traffic and redirecting it to bogus sites. DNSSEC uses digital signatures and public-key encryption to allow Web sites to verify their domain names and corresponding IP addresses. DNSSEC is viewed as the best way to bolster the DNS  against vulnerabilities such as the Kaminsky bug discovered this summer (and about which Dan Kaminsky spoke at last week's Black Hat event in Washington, DC). It's because of DNS threats like these that the US government is rolling out DNSSEC across its .gov domain.

Despite its efforts to deploy DNSSEC on .gov, the US government is delaying widespread DNSSEC deployment by failing to cryptographically sign the 13 "root" servers that operate at the pinnacle of the Internet's hierarchical DNS. The root servers make it possible for top-level domains including .gov, .com and .net to resolve DNS requests for names registered in these domains.

Last year, the US government sought comments from industry about how best to deploy DNSSEC on the root zone, but it hasn't taken action since then. Internet policy experts anticipate further delays because the Obama Administration hasn't appointed a Secretary of Commerce to oversee Internet addressing issues.

Meanwhile, the Internet engineering community is forging ahead with an alternative approach to allow DNSSEC deployment without the DNS root zone being signed. Known as a Trust Anchor Repository, the alternative was announced by the Internet Corporation for Assigned Names and Numbers (ICANN) last week.

ICANN's Interim Trust Anchor Repository -- or ITAR -- allows top-level domains such as .se for Sweden and .br for Brazil to have fully functioning DNSSEC deployments without waiting for the root zone to be signed.

Join the newsletter!

Error: Please check your email address.

Tags DNS

More about ICANNInternet Corporation for Assigned Names and NumbersPinnaclePioneerVeriSign AustraliaVPN Consortium

Show Comments

Market Place

[]