CET to Provide DNS Zone with DNSSEC Security Protocol

By David Sims, TMCnet Contributing Editor

CET, the K DNS root server operated by the European RIPE Internet registry, will provide a DNS zone signed with the DNSSEC security protocol, The H Security is reporting:

“This means that seven of the 13 central root servers which constitute the Domain Name System responsible for domain name resolution on the Internet will then return signed responses.”

At the 77th meeting of the Internet Engineering Task Force in Los Angeles this week, the Internet Corporation for Assigned Names and Numbers, VeriSign (News - Alert) and the American National Telecommunications and Information Administration reported that “so far the transition has been smooth.”

In December 2008 TMC (News - Alert) had the news of the DNSSEC Industry Coalition, formed as “a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions and streamline the implementations across Domain Name Registries.”

Members “work together to establish a consistent set of tools and applications, shared best practices, specifications and shared nomenclature. DNSSEC Industry Coalition members include both generic Top-Level Domain and country code Top-Level Domain registries along with industry and educational experts of the Domain Name System,” the December news ran.

The DNS Security Extensions protocol, as H Security explains, is designed to provide improved DNS security. DNSSEC “uses cryptographic signatures to authenticate the responses to DNS queries, which will prevent attackers from forging responses via security holes in the DNS protocol,” such as cache poisoning:

“With this protocol, responses to DNS queries are only accepted as authentic if a public key can be matched with a private key. However, signatures can't be validated during the introductory phase. As a result, initially it will be unlikely that users notice the introduction of DNSSEC on the RIPE root server.”

H Security went on to explain that while the response packets containing the signatures will be significantly larger, experts say that this doesn't present a problem if the respective resolvers are implemented correctly.

If everything goes to plan, the public key is to be deployed from the 1st of July. From then on, validation will be possible. Encountering key matching difficulties could then mean that the internet becomes fully or partially inaccessible.

(source: http://dns.tmcnet.com/topics/dns/articles/80235-cet-provide-dns-zone-with-dnssec-security-protocol.htm)