Seven key holders for the DNS root zone
Preparations for securing the domain name system root zone using the DNS Security Extensions (DNSSEC ) protocol are entering a key phase. At the 76th meeting of the Internet Engineering Task Force (IETF) in Hiroshima, the design team from VeriSign, the internet administration authority ICANN and the US NTIA presented the strict security conditions under which the various keys required will be generated, held and renewed. IETF developers expressed concerned about the lack of channels for both explaining the DNSSEC rollout, scheduled to commence in January, to ISPs and for collecting reports of anything untoward from the ISPs.
In October, ICANN and VeriSign surprised many observers with their proposed timetable for DNSSEC root zone signing. Signatures will be used internally from as early as 1st December and the first root server will serve the zone to the outside world from January. Cryptographically secured DNSSEC signatures are intended to prevent DNS information from being changed en-route from sender to recipient. If a response comes from the wrong domain, this will be revealed by checking private against public keys.
Signing the root zone is necessary to ensure that there is an unbroken chain of trust running right through the entire domain name system when converting domain and host names to IP addresses. Some top level domains, including .se and .org, have already signed their zones. Since the changes to the DNS are considerable and errors could knock out big chunks of the internet, the roll-out is to take place a step at a time. One by one, following the sequence L, J, M, I, D, K, etc., root servers will start to issue signed responses from January. The last server will be A, scheduled for May. IETF developers are warning that leaving A to last is a bad idea, as it promotes the long-obsolete myth that A is something special.