Internet security quietly reaches a milestone
Deploying DNS Security Extensions at the root zone is a critical step in securimg the infrastructure
The deployment earlier this month of enhanced security protocols for the root zone of the Internet’s Domain Name System marks a significant milestone toward creating a more secure global information infrastructure.
The DNS root zone contains the records needed to resolve the domain names to IP addresses for routing Internet traffic and is operated by the Commerce Department’s National Telecommunications and Information Administration. Most DNS queries do not hit the root zone; they are resolved at lower levels in the hierarchical system where the data is replicated. But the use of DNS Security Extensions to digitally sign the 13 root zone servers and the publication on July 15 of a trust anchor with cryptographic keys to enable validation of the signatures is critical to making DNSSEC work throughout the Internet.
DNSSEC now fully deployed on the Internet root
Can .gov trust .com?
Agency IT plans could hinge on IPv6 adoption
DNSSEC does not ensure the complete security and integrity of the Internet. But because the protocols are implemented at the very heart of the Internet, it is an important step in making the infrastructure inherently more secure. The Internet was not designed to be the global public utility it has become, and during the 40 years or so of its development, security has come in the form of add-on features. DNSSEC is being added on as well, but it is being added at the heart rather than bolted on to the outside.
For DNSSEC to be effective, both sides of a DNS exchange must be using the scheme, and we are a long way from that. Most servers still are not digitally signed, and most browsers are not set up to validate digital signatures. But deployment is espanding, with a number of top-level domains directly under the root zone being signed, such as .gov and .org. Subdomains under these TLDs now can be signed and plans are in place for most other TLDs to become signed.
Deployment of DNSSEC in the root zone — which sets at the top of the DNS hierarchy — provides a way to bridge the isolated islands of trust that have been created by signing domains, making its use more practical, which should encourage its use.
Another effort under way that has the potential to improve security at the heart of the Internet is the adoption of IPv6, the next generation of the Internet Protocols. Like DNSSEC, IPv6 alone will not secure the Internet, but the new protocols have functionality not included in IPv4 currently in use that could improve security at a basic level.
We still are a long way from realizing these benefits, however. Although the core networking infrastructure of the Internet is largely capable of handling IPv6 traffic, the new protocols still are in very limited use. With the pool of available IPv4 addresses expected to be exhausted in the next six to 12 months, expect adoption of IPv6 to speed up in the near future. However, no one expects IPv4 to disappear any time soon.
The lack of practical experience with IPv6 traffic and the need to manage networks to accommodate packets using both protocols for decades to come means that security might actually get worse before it gets better, as IPv6 is adopted.
But these changes are the most significant to be made at the heart of the Internet in 20 years and are the first significant efforts to reengineer the infrastructure that has come to underpin so much of the nation's economy. The job of securing it will not be easy and probably will never be complete, but some progress is being made.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.