Updated: ICANN, Verisign place last puzzle pieces in DNSSEC saga

DNSSEC well on the way, but major domain names are still lagging behind

The industry bodies responsible for the root servers that underpin the Internet have claimed success in implementing its DNS Security Extensions (DNSSEC) to the last clusters. The deployment is the final step before implementing the security required to prevent DNS cache poisoning attacks on Internet addresses.

Six deployments in total were made to the Internet's 13 root server clusters, beginning 27 January this year, with the final root server dubbed "J-Root" receiving the fix between 5pm and 7pm UTC on 5 May (3am-5am AEST on 6 May). The fix enables the cluster to begin serving a Deliberately Unvalidatable Root Zone (DURZ), which would eventually enable the ability to serve signed addresses.

The industry bodies involved, ICANN and Verisign, expect to distribute signed keys through the servers on 1 July.

According to a post on the Root DNSSEC website, "no harmful effects have been identified" following the transition.

The move toward extra security for DNS root servers comes two years after renowned security expert, Dan Kaminsky, exposed flaws in the DNS system, allowing would-be hackers to divert top-level domains to another IP address instead of the intended one. While network engineers rushed to patch their servers against the expert's proof-of-concept Kaminsky bug in the year following its exposure, the short-term patch did not fully resolve the issue around DNS cache poisoning.

The security flaw potentially allows hackers to redirect browsers to another IP address when a domain name is entered, as well as possibly subverting email as well, according to some security professionals.

A DNS Working Group meeting to be held in Prague this week will be used to make and discuss any initial observations and potential problems surrounding the transition.

Despite some media warning of potential melt-downs surrounding the DNSSEC deployment, outspoken Internode network engineer, Mark Newtown, said that any problems would most likely be due to ageing firewalls and modems.

"Please understand that it’s possible that any problems you experience may be caused by deficiencies in your own equipment," he said in an entry on Internode's blog. "Although it’s very unlikely, it remains possible that you’ll need to purchase a new firewall or a new ADSL modem after May 5th if your current equipment is old enough to have problems which haven’t been fixed by the vendor because they’re no longer offering support for your product.

"The overwhelming majority of our customers won’t notice anything on May 5th, but the difference behind the scenes will be considerable. DNSSEC is undergoing a phased rollout and it won’t be ready for full use for a couple of years, but when the work is complete the security of the Internet infrastructure will be vastly improved."

Major Australian ISPs have all announced compatibility with DNSSEC certification, which sees an increase in the size of individual packets in network traffic from 512 bytes to 2 kilobytes. These packets are transmitted over the TCP protocol rather than the UDP transport layer.

However, many top-level domains are yet to commit to DNSSEC signatures. Global top-level domains like .org and .edu are expected to comply by June, with .net in December. Verisign has said it will ensure the most popular domain, .com, is signed under DNSSEC regulations by March next year.

The chief executive officer of the organisation responsible for top-level Australian domans, auDA's Chris Disspain, told Computerworld Australia that secured Australian domains were on their way.

"We are currently working on a plan to rigorously test DNSSEC in the .au and second level environment," he said. "We anticipate commencing that testing in the later part of this year."

The auDA is still considering signing second-level domains such as gov.au, but Disspain said securing the DNS against cache poisoning tactics like the Kaminsky bug was ultimately up to the registrars which offer the domain names.

"Merely signing .au and the second levels really helps no-one unless registrars offer DNSSEC domain names and the application is embraced by registrants. So both registrars and registrants will need to do work if our signing of .au and second levels is going to be meaningful.

"Software manufacturers will also need to do some work."

ISP Australia Online provides a quick DNSSEC test, enabling users to determine whether local equipment may have been affected.

Join the newsletter!

Error: Please check your email address.

Tags NetworkingICANNinternodeDNSSECVeriSignISPs

More about auDAetworkICANNInternodeNNSECVeriSign Australia

Show Comments