Techies bypass feds on DNS security
- 24 February, 2009 08:17
- Comments
Forty years ago, when the US government created the packet switching network that became the Internet, one of its goals was to create a robust network where traffic would be dynamically routed around blockages.
Now the Internet engineering community has developed a strategy to route around a different kind of blockage -- one that is political, rather than technical -- and one that has been caused by the U.S. government itself.
At issue is the deployment of security mechanisms for the Internet's Domain Name System, which matches domain names with corresponding IP addresses.
The Internet engineering community wants to deploy DNS Security Extensions (DNSSEC) to prevent hackers from hijacking Web traffic and redirecting it to bogus sites. DNSSEC uses digital signatures and public-key encryption to allow Web sites to verify their domain names and corresponding IP addresses. DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered this summer (and about which Dan Kaminsky spoke at last week's Black Hat event in Washington, DC). It's because of DNS threats like these that the US government is rolling out DNSSEC across its .gov domain.
Despite its efforts to deploy DNSSEC on .gov, the US government is delaying widespread DNSSEC deployment by failing to cryptographically sign the 13 "root" servers that operate at the pinnacle of the Internet's hierarchical DNS. The root servers make it possible for top-level domains including .gov, .com and .net to resolve DNS requests for names registered in these domains.
Last year, the US government sought comments from industry about how best to deploy DNSSEC on the root zone, but it hasn't taken action since then. Internet policy experts anticipate further delays because the Obama Administration hasn't appointed a Secretary of Commerce to oversee Internet addressing issues.
Meanwhile, the Internet engineering community is forging ahead with an alternative approach to allow DNSSEC deployment without the DNS root zone being signed. Known as a Trust Anchor Repository, the alternative was announced by the Internet Corporation for Assigned Names and Numbers (ICANN) last week.
ICANN's Interim Trust Anchor Repository -- or ITAR -- allows top-level domains such as .se for Sweden and .br for Brazil to have fully functioning DNSSEC deployments without waiting for the root zone to be signed.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- 13 Essential Steps to Integrating Control Frameworks
- Selecting an Application Lifecycle Management Vendor: An Ovum Report
- FIBRE CHANNEL SOLUTIONS GUIDE - state of the fibre channel industry
- Enterprise Buyers Guide for Application Development Software
- A Technical Overview of the Oracle Exadata Database Machine and Exadata Storage Server
- iPhone 5 rumour rollup for the week ending February 10
- 3D mapping revives underwater city
- Academic challenges Turnbull over NBN satellite criticism
- What are you saying: Telstra’s customer service slowly improving, SA minister urging Facebook to overturn its photo ban
- In pictures: Capgemini opens new Canberra office
-
Windows Event Viewer phishing scam remains active
-
NeuroSky MindWave: Fun with Brainwaves
-
20 popular Ubuntu Linux apps you may want to try
-
Nokia N9: Why you shouldn't buy this device
-
Microsoft at a loss over Event Viewer scam
-
Office 2007 for Dummies
-
Computers for Seniors for Dummies, 2nd Edition
-
Microsoft Office
-
Windows 7 for Dummies®
-
Windows 7 for Dummies® Dvd+book Bundle
-
Office 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Seniors for Dummies®
-
Teach Yourself Visually Windows 7
-
Excel 2007 All-In-One Desk Reference for Dummies
Comments
Post new comment