[Owasp-Malaysia] DNS security reaches 'key' milestone

Mohd Fazli Azran mfazliazran at gmail.com
Thu Jun 17 12:02:29 EDT 2010


FYI,

The dream of bolting security onto the Internet's Domain Name System takes
one step closer to reality Wednesday as Internet policymakers host a
ceremony in northern Virginia to generate and store the first cryptographic
key that will be used to secure the Internet's root zone.This key ceremony
is one of the final steps in the deployment of DNS Security Extensions
(DNSSEC) on the Internet's root zone. DNSSEC is an emerging Internet
standard that prevents spoofing attacks by allowing Web sites to verify
their domain names and corresponding IP addresses using digital signatures
and public-key encryption. 80% of government Web sites miss DNS security
deadline.

"The key ceremony will generate the master root key, the key that signs all
the other keys," explains Ken Silva, CTO of VeriSign, which operates two of
the Internet's 13 root
servers<http://en.wikipedia.org/wiki/Root_nameserver>along with the
back-end systems that power the .com and .net top-level
domains. "This is being done a month before the actual roll-out of DNSSEC so
that we have a valid key and that we can test with it."

DNSSEC is being deployed across the Internet infrastructure, from the root
servers at the top of the DNS hierarchy to the servers that run .com and
.net and other top-level domains, and then down to the servers that cache
content for individual Web sites.Once it is widely deployed, DNSSEC will
prevent cache poisoning attacks, where traffic is redirected from a
legitimate Web site to a fake one without the Web site operator or user
knowing. Cache poisoning attacks are the result of a serious flaw in the DNS
that was disclosed by security researcher Dan Kaminsky in 2008.

Today's key ceremony is being hosted by the Internet Corporation for
Assigned Names and Numbers
(ICANN<http://www.icann.org/en/announcements/announcement-2-07jun10-en.htm>)
in a secure data center in Culpeper, Va., outside of Washington, D.C. A
similar key ceremony will take place in Los Angeles in early July.The key
ceremony will demonstrate the set of procedures that the Internet
engineering community has created to generate and store keys for the root
zone in a secure way. Attendees will include ICANN staff and DNS experts
from around the world. The key generation and storage process will be
audited.

"People from all over the world will be part of the process of creating the
key for the top level of the DNS," explains Steve
Crocker<http://en.wikipedia.org/wiki/Steve_Crocker>,
an Internet security expert and CEO of Shinkuro. "They will witness and be
able to report that the proper procedure was carried fairly and
scrupulously." The two key ceremonies are among the last steps before
production-scale deployment of DNSSEC on the root zone, which is scheduled
for July 15.
Kaminsky bug drives DNSSEC

DNSSEC has gained a groundswell of support since the Kaminsky bug was
discovered in 2008. A handful of countries — including Sweden, the Czech
Republic, Puerto Rico, Bulgaria and Brazil — already support DNSSEC on their
country-code domains as does the .org domain for non-profit organizations.
The U.S. federal government is in the midst of deploying DNSSEC on the .gov
domain. Next up are .edu, which will be cryptographically signed in July,
followed by .net in November and .com in March 2011, VeriSign said. Once the
root zone is signed, top-level domains that support DNSSEC can offer
end-to-end security to their Web site operators. "We expect a flurry of
activity as people in Sweden, Brazil and other countries deploy DNSSEC,"
Silva says. He adds that as much as 50% of DNS queries can support the
DNSSEC standard due to default settings on popular DNS software. So far,
Internet security experts have seen no technical roadblocks to the
deployment of DNSSEC from the root servers on down."It's been pretty
smooth," Crocker says of the DNSSEC roll-out on the root servers. "I haven't
heard of any issues" that would delay deployment of DNSSEC on .com or .net.

Regard,

Mohd Fazli Azran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100618/72589801/attachment.html 


More information about the Owasp-Malaysia mailing list