“The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC.”
This evening will mark a milestone in Internet history. This event is something that has been discussed for over 10 years now and means that finally, DNS responses can be validated using DNSSEC by following a chain of trust all the way from the DNS root servers. This will simplify the configuration of DNS servers dramatically as separate trust anchors will no longer be required.
Unfortunately DNSSEC is still pretty complex to set up, although products like Infoblox can help with key management and automated rollover. And it still needs the TLD’s to be signed (such as .com). And it still needs the ISP’s to configure their DNS servers to perform validation on behalf of their broadband customers. So while there are still a few hurdles to overcome, it is the start of something big. For the first time, companies such as banks or anyone that takes credit card payments via the net will be able to guarantee the DNS response for their web site is valid. If someone tries to spoof an entry via a cache poisoning attack, it will not validate and will be dropped by the ISP’s DNS server, thus helping to protect the end user from malicious attacks.