subject: DNS Security Extensions will be completely deployed for the .com [print this page] DNS Security Extensions will be completely deployed for the .com
By the end of the month, DNS Security Extensions, or DNSSEC, will be completely deployed for the ".com" zone, adding an additional layer of security to the popular Web zone.
According to Matt Larson, vice president of DNS research at VeriSign, the key material used to validate the signed DNS entries will be unobscured on March 31, and the DS record will be added to the root zone.
Put a bit more simply, DNSSEC adds security to the Domain Name System, the underpinnings of the Internet. DNS entries translate Web addresses such as "www.pcmag.com" into the actual registered IP address used by the site. DNSSEC works by digitally signing records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone.
DNSSEC is designed to block DNS cache poisoning, or attacks on DNS servers that could route requests for a particular Web site to any site the attacker wanted the Web client to view - routing "www.pcmag.com." for example, to a site serving spam, malware, or pornography.
In 1998, for example, US-CERT (Computer Emergency Readiness Team)issued an advisory regarding a basic flaw in the DNS standard that could lead to cache poisoning.
This flaw would have allowed attackers to redirect Internet requests to wherever they wished, including sites that engaged in phishing or malware distribution. However, it wasn't easy - the flaw required exploiting an undisclosed combination of vulnerabilities such as insufficient transaction ID space, multiple outstanding requests, and a fixed source port. It also required that the attacker effectively spoof traffic.
DNSSEC merely authenticates Web traffic; it does not encrypt it. It ensures data integrity and authenticates denial of existence, and it theoretically would allow DNSSEC-signed certificates to be distributed via email, allowing it to be used as a public key infrastructure. DNSSEC adds security to DNS; atangentially related initiative would add reputation to DNS data.
So far, the .net and .org zones have been digitally signed, and the process culminated on Dec. 9, 2010, with the publication of the .net DS record in the root zone," Larson said in an email.
"The .com zone is actually signed now, and the signed version is being served at all the .com authoritative servers, but the public key material is intentionally obscured to make the zone unusable for DNSSEC validation," Larson said. "This is an incremental deployment technique developed by Verisign and ICANN engineers as part of the project that deployed DNSSEC in the root zone. By using a 'deliberately unvalidatable zone,' Verisign can roll out the signed .com zone slowly and conservatively and watch for any unusual traffic patterns. The obscured key material keeps anyone from performing DNSSEC validation against the zone and starting to depend on it before its intended date of going fully live.
"At the end of this month, we'll unobscure the key material and on March 31, 2011, the DS record for .com will be added to the root zone, which will complete the deployment," Larson added.
The process should be relatively seamless for end users. The additional DNSSEC traffic will push DNS responses over 512 bytes up to 4096 bytes, which may only affect appliances and devices in the wild that are configured to only accept packets smaller than 512 bytes, the ISC's Peter Losher noted last year. In some cases the clients may try a smaller buffer size until they can get the response through; otherwise, clients would then just fall back to TCP.
Some ISPs have already shifted customers over to DNSSEC; Comcast, for example, began the process in Oct. 2010.
Other Business News:laptop batteries,sony vgp-bps8a Batteries,sony vgp-bps9 Batteries
