14 DAY TRIAL // The security of the overall Internet infrastructure has passed a major milestone on Thursday, when the root zone for the .com TLD was signed for DNSSEC, a more secure version of the DNS system.
The race to implement the DNS Security Extensions, commonly referred to as DNSSEC, began in 2008 after reputed security researcher Dan Kaminsky disclosed a wide-impact attack method known as DNS cache poisoning.
The Domain Name System (DNS) is a critical part of the Internet and is responsible for converting host names into IP addresses and vice versa.
Kaminsky's attack was able to trick DNS servers into believing that particular hosts corresponded to IP addresses under the attacker's control, therefore potentially directing large numbers of users to rogue websites.
DNS vendors responded to the attack with various patches, but DNSSEC is seen as a long term solution to the problem, because it uses public-key cryptography to sign records and validate responses.
DNSSEC deployment is not easy and must be done in stages. First, the Internet's DNS root zone, which is kept in sync over 13 servers around the world needed to be signed.
Then the root zone for each TLD had to be signed individually. As of now, more than 50 TLDs are ready for DNSSEC, including .gov, .org, .net and .edu.
However, the signing of the most popular general-purpose TLD, the .com, by VeriSign is probably the most important milestone in DNSSEC deployment.
For the improved system to start having an impact on users, ISPs need to start adopting it and .com's new support for DNSSEC should serve as a good incentive for that.
"By reaching this critical milestone in DNSSEC deployment, Verisign and the Internet community have made enormous strides in protecting the integrity of DNS data," said VeriSign's senior vice president and general manager of Naming Services, Pat Kane.