ICANN, VeriSign, agencies collaborate on securing the Internet's root DNS

Under the joint effort, Verisign will manage and operate the Zone Signing Key, while ICANN will manage the Key Signing Key process.

The Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign, the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology will work in a joint effort to secure the Internet’s root domain name system (DNS).

Verisign, a private company, operates the “A” and “J” root DNS servers and manages the .com, .net and other DNS zones.  Under the joint effort, Verisign will manage and operate the Zone Signing Key, while ICANN will manage the Key Signing Key process.

According to Paul Twomey, ICANN’s president and chief exectuive officer, for three years ICANN has been “working towards a signed root” and has operated a “root zone signing test bed for more than two years.”

The joint effort will first test the use of the Domain Name System Security Extensions (DNSSEC) with the Internet’s root zones, followed by production deployment of an electronically signed root zone that would occur “as soon as is feasible”, according to Twomey.

The group intends to consult with DNS experts from the Internet community to develop a test program and plan for production deployment.  NTIA sought advice from the Internet community last year on security issues related to top level DNS.

DNS is a software process that translates an easy-to-remember domain name to the corresponding IP address that identifies the physical machine on which Internet Web site resides. The Internet’s DNS consists of 13 root servers that are distributed worldwide.  A Web surfer’s browser ultimately refers to the root servers to determine the “authoritative” name server that can resolve the domain name.

Security vulnerabilities in the Internet’s DNS have gained increasing visibility in recent years, particularly with the discovery of the Kaminsky bug in July 2008.  According to some experts, the Internet’s DNS is easier to exploit than many realize, where malicious parties are able to hijack DNS records such that unsuspecting web surfers are misdirected to fraudulent Web sites.

The DNSSEC is an enhancement to DNS that provides a means to authenticate the origin of DNS data and verify the integrity of DNS transactions.  With DNSSEC, DNS zones are cryptographically “signed” such that the both parties in a DNS transaction can trust the DNS data as authentic.

The federal government has mandated that its DNS servers and .gov zones be signed with DNSSEC by the end of 2009.

About the Authors

Dan Campbell is a freelance writer with Government Computer News and the president of Millennia Systems Inc.


Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above