Welcome to YLOAN.COM
HOME MARKETS TRADE SOLUTIONS TECH CONTACT
yloan.com » Home-Securtiy » DNS Security Extensions will be completely deployed for the .com
Family Home Improvement Kids & Children Parenting baby Babies-Toddler Crafts-Hobbies Elder-Care Holidays Home-Securtiy Interior-Decorating Landscaping-Gardening bedroom lake apartments hardwood shower generation generator contractors patio roofing locksmith bleach housing jaw appliance domestic

DNS Security Extensions will be completely deployed for the .com

DNS Security Extensions will be completely deployed for the .com


By the end of the month, DNS Security Extensions, or DNSSEC, will be completely deployed for the ".com" zone, adding an additional layer of security to the popular Web zone.

According to Matt Larson, vice president of DNS research at VeriSign, the key material used to validate the signed DNS entries will be unobscured on March 31, and the DS record will be added to the root zone.

Put a bit more simply, DNSSEC adds security to the Domain Name System, the underpinnings of the Internet. DNS entries translate Web addresses such as "www.pcmag.com" into the actual registered IP address used by the site. DNSSEC works by digitally signing records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone.


DNSSEC is designed to block DNS cache poisoning, or attacks on DNS servers that could route requests for a particular Web site to any site the attacker wanted the Web client to view - routing "www.pcmag.com." for example, to a site serving spam, malware, or pornography.

In 1998, for example, US-CERT (Computer Emergency Readiness Team)issued an advisory regarding a basic flaw in the DNS standard that could lead to cache poisoning.

This flaw would have allowed attackers to redirect Internet requests to wherever they wished, including sites that engaged in phishing or malware distribution. However, it wasn't easy - the flaw required exploiting an undisclosed combination of vulnerabilities such as insufficient transaction ID space, multiple outstanding requests, and a fixed source port. It also required that the attacker effectively spoof traffic.

DNSSEC merely authenticates Web traffic; it does not encrypt it. It ensures data integrity and authenticates denial of existence, and it theoretically would allow DNSSEC-signed certificates to be distributed via email, allowing it to be used as a public key infrastructure. DNSSEC adds security to DNS; atangentially related initiative would add reputation to DNS data.

So far, the .net and .org zones have been digitally signed, and the process culminated on Dec. 9, 2010, with the publication of the .net DS record in the root zone," Larson said in an email.

"The .com zone is actually signed now, and the signed version is being served at all the .com authoritative servers, but the public key material is intentionally obscured to make the zone unusable for DNSSEC validation," Larson said. "This is an incremental deployment technique developed by Verisign and ICANN engineers as part of the project that deployed DNSSEC in the root zone. By using a 'deliberately unvalidatable zone,' Verisign can roll out the signed .com zone slowly and conservatively and watch for any unusual traffic patterns. The obscured key material keeps anyone from performing DNSSEC validation against the zone and starting to depend on it before its intended date of going fully live.

"At the end of this month, we'll unobscure the key material and on March 31, 2011, the DS record for .com will be added to the root zone, which will complete the deployment," Larson added.


The process should be relatively seamless for end users. The additional DNSSEC traffic will push DNS responses over 512 bytes up to 4096 bytes, which may only affect appliances and devices in the wild that are configured to only accept packets smaller than 512 bytes, the ISC's Peter Losher noted last year. In some cases the clients may try a smaller buffer size until they can get the response through; otherwise, clients would then just fall back to TCP.

Some ISPs have already shifted customers over to DNSSEC; Comcast, for example, began the process in Oct. 2010.

Other Business News:laptop batteries,sony vgp-bps8a Batteries,sony vgp-bps9 Batteries

Read More:http://bestlaptopbattery.co.uk/battery-wiki/
Security Companies The need and importance of security systems Finding the Best Security Guards in Sacramento The Value of Security Guard Patrolling Security and Conservation Recommendations For Liquefied Petroleum Fuel (LPG) The fraudulent security application E-Set Antivirus 2011 Email Security for Free with Opolis Secure Mail Trend Micro Security Smarter Security Solutions What Makes a Good Security Guard Manager Practical Security Infrastructure Testing Security guide Server Security: Don't Get Pwned By Hackers! Makita Cordless Drill: Best-known for Usefulness, Security and Overall performance
print

Contact

mail:info@yloan.com

www.yloan.com

About us Infoline Team Join us Cooperation

Products

Yloan information

Our Solutions

Presentation Testimonials Examples Our experts Resources

Press Room

Advertisement Interviews Hot news Photos Marketing

Resources

loan info finance info
www.yloan.com guest:  register | login | search IP(216.73.216.125) California / Anaheim Processed in 0.040049 second(s), 7 queries , Gzip enabled , discuz 5.5 through PHP 8.3.9 , debug code: 28 , 4055, 221,
DNS Security Extensions will be completely deployed for the .com Anaheim