Home / Blogs

July 2010: The End of the Beginning for DNSSEC

Ram Mohan

July 15, 2010 (yesterday) marked the end of the beginning for DNSSEC, as the DNS root was cryptographically signed. For nearly two decades, security researchers, academics and Internet leaders have worked to develop and deploy Domain Name System Security Extensions (DNSSEC). DNSSEC was developed to improve the overall security of the DNS, a need which was dramatized by the discovery of the Kaminsky bug a few years ago.

If researchers have been working on this for years, one might ask: why is this only the "end of the beginning?" The answer is, of course, that "overnight changes" usually occur only after a decade or more of hard work. Until recently, DNSSEC was often criticized as a solution in search of a problem. However, the now famous "Kaminsky bug," a cache poisoning exploit that DNSSEC fixes, changed all that in a hurry.

DNSSEC deployment first became real when .SE (Sweden) announced in 2007 that it had signed its zone. Another DNSSEC leader, .ORG, managed by the Public Interest Registry, opened its DNSSEC testbed in the same year. Soon thereafter, the number of countries and other operators deploying DNSSEC in their infrastructure started to swell.

Yesterday, ICANN, VeriSign and the NTIA, after months of careful work, completed the signing of the Root zone, fully enabling DNSSEC queries to be validateable down the "chain of trust." For the first time ever, it became possible to have a DNS query for a signed zone completely validated from an end-user's computer all the way to the root of the DNS.

The seal of trust that DNSSEC now delivers at the root level of the Domain Name System is a testament to an idea whose time has come — an idea chaperoned by scores of engineers, technicians and policy makers, and executed by operators of networks and names. As DNSSEC deployment enters its next phase, let us take a moment to salute the work done by all those who have come before us, and all those who are in this with us.

July 15, 2010 marks the end of the beginning for DNSSEC, and the opening of a new chapter in the task of securing the core infrastructure on which the global Internet relies. We are now in the era of DNS 2.0.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

Sponsored Topics