The Internet Corporation for Assigned Names and Numbers (ICANN) has completed a collaborative effort with the U.S. Department of Commerce and Verisign Inc. to roll out Domain Name System Security Extensions, or DNSSEC, to root Internet servers. The initiative, announced at this week's Black Hat Briefings,
The DNSSEC deployment adds public-key cryptography to the Domain Name System and creates an authentication platform that certifies the validity of Internet addresses and prevents the redirection of users to fake and maliciously crafted websites.
The Internet's root servers and domains, including .uk and .org, have now been signed with DNSSEC.
By providing users with assurance that they have arrived at the website they intended to, DNSSEC will specifically protect against cache poisoning and man-in-the-middle attacks, which seek to corrupt trusted relationships between users and domains.
Cache poisoning occurs when an Internet address in the server's DNS table is replaced with a rogue address. Attackers also use man-in-the-middle tactics to interfere with a public-key exchange, intercept a message and then retransmit it; an attacker surreptitiously replaces his or her public key with the one that a user requests, but allows the original communication to appear intact. A criminal using this technique could divert an online communication from a customer to a bank, and then, pretending to be the customer, use the information to empty the victim's bank account.
The announcement comes two years after researcher Dan Kaminsky exposed a major DNS cache-poisoning flaw at the 2008 Black Hat Briefings.