On the Pressing Need for a Signed Root


Attacks on the security of the Internet have been much in the news lately, and there is an increased urgency to take the technical steps to combat these attacks. .ORG has been doing its part to lead this process by taking introductory steps to implement DNSSEC (Domain Name System Security Extensions). Using DNSSEC, domain name holders can protect the integrity of data in the Domain Name System by digitally signing their domains. In order to make DNSSEC effective, there is one additional step that is needed — "signing the root". If a digital signature is applied to the root of the Domain Name System, end-to-end assurance of the data is possible. Without a signature on the root, it is impossible to assure the validity of any of the other signatures in the system.

.ORG believes that the time has come to separate the technical matter of signing the root from the unrelated political row over who controls the content of the root, and the nature of the Department of Commerce's oversight of ICANN. There are serious threats to the security and stability of the Internet that DNSSEC will assist in addressing. The near unanimous opinions of the best technical minds are that first we sign the root, and then we take care of the political arguments.

.ORG supports the technical community on this critically important issue. We understand that IANA (the authoritative body that manages changes in the root zone file) has in fact been signing the root every morning for the past year, as a demonstration of technical feasibility, and as an aid to DNSSEC implementers. However, they've been prevented by NTIA from distributing the signed version. Since IANA has the capability, we strongly believe they should be allowed to proceed.

Written by David Maher, Senior Vice President, Law & Policy

Related topics: Cybersecurity, DNS, DNS Security, ICANN, Registry Services, New TLDs