Signing of the Root Zone Represents Milestone in DNS Security
15 July 2010 - DNSSEC allows Internet users to type a website address and be confident that the website being displayed is coming from an authorised server. The global deployment of DNSSEC is a vital step in increasing Internet security and the RIPE NCC is proud to have played a leading role in its development.
DNSSEC Represents Two Decades of Work to Increase Internet Security
The signing of the root zone marks the culmination of almost two decades of work by the global Internet community and the RIPE NCC. The organisation has led the DNSSEC project in Europe, driving the protocol development forward since the early 1990s amongst the global Internet community and supporting the development of standards for DNSSEC technology. It has also offered technical and policy advice to the Internet Corporation for Assigned Names and Numbers (ICANN) as well as other Regional Internet Registries to ensure that DNSSEC can be deployed as efficiently as possible and without disruption to Internet users. Additionally, the RIPE NCC has raised awareness of DNSSEC among Internet Service Providers (ISPs), and offered training and support for early adopters of the technology.
All of the world's 13 root name servers, including K-root which is operated by the RIPE NCC, have gradually switched to a signed root since January this year in preparation for today's global roll-out.
Daniel Karrenberg, Chief Scientist of the RIPE NCC, says: "Trust and identity are key areas in need of improvement for the Internet to sustain its impressive rate of innovation and growth of the last 20 years. DNSSEC helps ensure that users can trust that they are indeed communicating with whom they intend to - that the website they are entering their banking transactions on is operated by their bank, and that their email reaches the intended recipient and no one else.
"It is crucial that institutions forming part of the Internet community, such as the RIPE NCC, collaborate globally in the long-term to protect the sustainable growth of the Internet."
Some top-level domains (TLDs) already use DNSSEC (.uk, .org, .bg, .ch, .cz, .li and .se, for example), and many more TLDs (such as .us and .biz) are currently working on signing their zone. As more domains are secured, the Internet becomes more reliable and stable, benefitting end-users.
Rob Blokzijl, RIPE Chair, says: "The RIPE community has been an ardent supporter of DNSSEC for many years, urging ICANN to sign the root zone. Now both ISPs and the domain name industry can move on to full deployment of DNSSEC, taking another step in our effort to make the Internet a safer place for all."
For Internet users to benefit from DNSSEC, a router and/or resolver upgrade may be necessary. Some routers may not be able to handle the larger packet sizes generated by DNSSEC because legacy networking equipment does not accept DNS responses that are over 512 bytes in size or split into several packets.
To help ISPs check that their resolvers are able to cope with the larger packet sizes introduced by DNSSEC, the RIPE NCC has developed a free, easy-to-use reply size tester tool that can be downloaded here. There are also browser add-ons that show end-users if DNSSEC is being used when they access a website. More information is available from RIPE Labs.
Many of the world's largest TLDs and root name servers use Name Server Daemon (NSD), a high performance DNS name server implementation designed by NLNet Labs, an Internet technology research and development group, and supported by the RIPE NCC. NSD improves the performance of the DNS and helps make it more resilient to failures.
The Domain Name System (DNS), while being an integral part of the backbone of the Internet, does not have inherent security features. This could expose Internet users to attacks by allowing hackers to redirect users to fake website addresses. So, when users type in the name of a legitimate website, they are taken to a fraudulent one instead, putting them at risk of phishing and other scams. DNSSEC uses digital signatures to assure caching resolvers that the DNS data they receive has not been intercepted or tampered with, increasing Internet safety for all.