Crypto project to lock down net security

Crypto project to lock down net security

Summary: VeriSign and Icann have joined with two US government agencies to encrypt one of the fundamental internet protocols

SHARE:
TOPICS: Security
0

VeriSign will administer encryption for the internet's Domain Name System, according to the organisation that oversees the fundamental internet address system.

Icann said on Wednesday that VeriSign will sign the Domain Name System Security Extensions (DNSSEC) at the root zone of the internet. The announcement suggests a resolution to a longstanding political argument about who would have responsibility for such encryption.

The US Department of Commerce's National Telecommunications and Information Administration and National Institute of Standards and Technology are working with Icann and VeriSign on the initiative.

In an interim arrangement between the participating organisations, VeriSign will manage and have operational responsibility for the zone signing key, while Icann will manage the key-signing-key process. Icann said it will work closely with VeriSign regarding the operational and cryptographic issues involved.

"This is very important for the global community of internet users. We will work closely with all participants on this crucial security initiative," Paul Twomey, president and chief executive of Icann, said in a statement.

The Domain Name System (DNS), the addressing system used to route information packets on the internet, has long been known to have numerous critical vulnerabilities. Due to the open nature of DNS architecture, DNS cache poisoning, which allows an attacker to falsely redirect a user, has been a recurrent problem since at least 2005. In 2008, security researcher Dan Kaminsky outlined a fundamental DNS flaw which forced multiple vendors to scramble to produce a patch.

The use of DNSSEC, an encrypted protocol, would mitigate many DNS flaws, but has so far been unworkable due to political tensions between DNS-using organisations, who have been unable to agree who would sign the root. This was recognised by the DNSSEC Deployment Working Group in 2005.

"Unfortunately, there are political issues," the working group said at the time. "The root is just another trust anchor but it is a 'special' one."

At the time of writing, Icann had not commented as to how these political issues had been resolved. However, Icann said in a statement that it "recognises the urgency surrounding the issue of electronically signing the internet's 'root zone'".

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion