Search DNSSEC Blog


Saturday, December 6, 2008

DNSSEC Gets Its Own Coalition

"The new coalition will aim to identify and overcome the challenges and make DNSSEC deployment a global reality. One of the key players in the new DNSSEC coalition is VeriSign, the vendor that controls the Internet's root domain servers for the .com and .net domains.

"We firmly believe that DNSSEC is a technology that requires implementation and it solves a specific problem that nothing else solves," Pat Kane, vice president of naming services at VeriSign told

The specific problem in Kane's view is man in the middle cache poisoning attacks like the one discovered by Kaminsky. The basic idea behind the attack is that DNS server responses can be tampered with to redirect end users to different sites, so a user could type in "" and be taken to a phishing site instead. With encryption signed DNS information from DNSSEC, a domain name would be validated to ensure authenticity.

For the ISC's Vixie the real barriers to adoption for DNSSEC involve a number of items. For one he stresses the need to get the root zone signed including .com for DNSSEC to function as it was intended. Getting the tools together to improve the usability of DNSSEC's tools and implementation is also key. That involves DNS servers like BIND as well as many other Internet ecosystem vendors.

"We need Apple, Red Hat, Microsoft, Ubuntu and all major wireless and wireline ISP's to support DNSSEC validation in their recursive name servers and clients," Vixie said. "And we need the DNS registrars and registries to fully support DNSSEC for all their domain holders, meaning that if a domain holder signs their zones they ought to be able to upload their public keys someplace."

Full article: DNSSEC Gets Its Own Coalition, Sean Michael Kerner, retrieved from on December 5, 2008

No comments:

Post a Comment