Home / Blogs

July 2010: The End of the Beginning for DNSSEC

Ram Mohan

July 15, 2010 (yesterday) marked the end of the beginning for DNSSEC, as the DNS root was cryptographically signed. For nearly two decades, security researchers, academics and Internet leaders have worked to develop and deploy Domain Name System Security Extensions (DNSSEC). DNSSEC was developed to improve the overall security of the DNS, a need which was dramatized by the discovery of the Kaminsky bug a few years ago.

If researchers have been working on this for years, one might ask: why is this only the "end of the beginning?" The answer is, of course, that "overnight changes" usually occur only after a decade or more of hard work. Until recently, DNSSEC was often criticized as a solution in search of a problem. However, the now famous "Kaminsky bug," a cache poisoning exploit that DNSSEC fixes, changed all that in a hurry.

DNSSEC deployment first became real when .SE (Sweden) announced in 2007 that it had signed its zone. Another DNSSEC leader, .ORG, managed by the Public Interest Registry, opened its DNSSEC testbed in the same year. Soon thereafter, the number of countries and other operators deploying DNSSEC in their infrastructure started to swell.

Yesterday, ICANN, VeriSign and the NTIA, after months of careful work, completed the signing of the Root zone, fully enabling DNSSEC queries to be validateable down the "chain of trust." For the first time ever, it became possible to have a DNS query for a signed zone completely validated from an end-user's computer all the way to the root of the DNS.

The seal of trust that DNSSEC now delivers at the root level of the Domain Name System is a testament to an idea whose time has come — an idea chaperoned by scores of engineers, technicians and policy makers, and executed by operators of networks and names. As DNSSEC deployment enters its next phase, let us take a moment to salute the work done by all those who have come before us, and all those who are in this with us.

July 15, 2010 marks the end of the beginning for DNSSEC, and the opening of a new chapter in the task of securing the core infrastructure on which the global Internet relies. We are now in the era of DNS 2.0.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Sponsored Topics

dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias