Article

ICANN announces DNSSEC deployment to root Internet servers

SearchSecurity.com Staff

The Internet Corporation for Assigned Names and Numbers (ICANN) has completed a collaborative effort with the U.S. Department of Commerce and Verisign Inc. to roll out Domain Name System Security Extensions, or DNSSEC, to root Internet servers. The initiative, announced at this week's Black Hat Briefings,

    Requires Free Membership to View

    Login

is intended to enhance the security of the Domain Name System and protect users from specific types of online fraud.

More on DNSSEC

DNSSEC deployments gain momentum since Kaminsky DNS bug 
DNSSEC brings PKI to the Domain Name System and prevents dangerous cache poisoning attacks. Implementation difficulties and political battles, however, keep it from going mainstream.

Federal agencies scrambling on DNSSEC implementation
Federal deployments of DNSSEC are lagging markedly. Learn more about what the governement is doing to catch up.

Video: VeriSign on DNSSEC support
Joe Waldron, a product manager in VeriSign's Naming (DNS) Group, said engineers are testing and upgrading systems to support security extensions for DNS (DNSSEC).

Kaminsky interview: DNSSEC addresses cross-organizational trust and security 
Network security researcher Dan Kaminsky has had a year to reflect on the impact of the cache poisoning vulnerability he discovered in the Domain Name System (DNS).
"A cybercriminal can steal your money or your personal data without you even knowing it," said Rod Beckstrom, president and CEO of ICANN, in a news release. "This upgrade will help disrupt the plans of criminals around the world who hope to exploit this crucial part of the Internet infrastructure to steal from unsuspecting people."

The DNSSEC deployment adds public-key cryptography to the Domain Name System and creates an authentication platform that certifies the validity of Internet addresses and prevents the redirection of users to fake and maliciously crafted websites.

The Internet's root servers and domains, including .uk and .org, have now been signed with DNSSEC.

By providing users with assurance that they have arrived at the website they intended to, DNSSEC will specifically protect against cache poisoning and man-in-the-middle attacks, which seek to corrupt trusted relationships between users and domains.

Cache poisoning occurs when an Internet address in the server's DNS table is replaced with a rogue address. Attackers also use man-in-the-middle tactics to interfere with a public-key exchange, intercept a message and then retransmit it; an attacker surreptitiously replaces his or her public key with the one that a user requests, but allows the original communication to appear intact. A criminal using this technique could divert an online communication from a customer to a bank, and then, pretending to be the customer, use the information to empty the victim's bank account.

The announcement comes two years after researcher Dan Kaminsky exposed a major DNS cache-poisoning flaw at the 2008 Black Hat Briefings.


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top