DNS root zone about to be signed with valid keys

From http://www.root-dnssec.org

“The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC.”

This evening will mark a milestone in Internet history. This event is something that has been discussed for over 10 years now and means that finally, DNS responses can be validated using DNSSEC by following a chain of trust all the way from the DNS root servers. This will simplify the configuration of DNS servers dramatically as separate trust anchors will no longer be required.

Unfortunately DNSSEC is still pretty complex to set up, although products like Infoblox can help with key management and automated rollover. And it still needs the TLD’s to be signed (such as .com). And it still needs the ISP’s to configure their DNS servers to perform validation on behalf of their broadband customers. So while there are still a few hurdles to overcome, it is the start of something big. For the first time, companies such as banks or anyone that takes credit card payments via the net will be able to guarantee the DNS response for their web site is valid. If someone tries to spoof an entry via a cache poisoning attack, it will not validate and will be dropped by the ISP’s DNS server, thus helping to protect the end user from malicious attacks.

This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s