Icann: Coders and ISPs vital to net security

Icann: Coders and ISPs vital to net security

Summary: The internet watchdog says DNSSEC encryption, which makes it harder for hackers to subvert web traffic, will only work if developers and ISPs get behind it

TOPICS: Security

Developers and internet service providers will need to participate if the encryption of a fundamental internet protocol is to succeed, according to Icann.

Icann is the US-based organisation responsible for running the domain-name system (DNS), which is the addressing system used to route information packets on the internet. The DNS has long been known to have numerous critical vulnerabilities, and the use of Domain Name System Security Extensions (DNSSEC), an encrypted protocol, would mitigate many DNS flaws.

Paul Twomey, the president and chief executive of Icann, told ZDNet UK on Friday that it was "important to get the application-layer community involved and to recognise that DNSSEC should move through all applications".

ISPs will also be vital to the next stage of the deployment, said Twomey, who anticipates that initially there will be a two-tier internet system, with one tier encrypted.

"It's going to take some time to deploy and further discussions, as there are a lot of implementation issues for ISPs in how they support DNSSEC," said Twomey. "[Users] will have to have access to both signed and unsigned roots. It's not like we can turn DNSSEC on tomorrow."

Icann announced last Wednesday that, in an interim measure, VeriSign will sign DNSSEC at the root zone of the internet.

Twomey said DNSSEC deployment would mitigate DNS cache poisoning, in which users are unwittingly redirected to fake internet sites.

"It means that users will have confidence that content comes from that site, not from some man-in-the-middle attack," said Twomey. "DNSSEC itself is not a new protocol, but moving towards having it deployed is a major step. This deployment will be seen as major milestone in addressing fundamental security issues in a system designed 35 years ago."

DNSSEC deployment has been discussed since at least 2005, and has in part been held up by political issues as to who should sign the root. Twomey said that agreement between different organisations and stakeholders had now been achieved.

"This really points out the value of the Icann model," said Twomey. "We are a community-based organisation, and that brings a series of understandings."

Twomey said technical people in the internet security and stability community have had discussions globally, including within countries that do not historically have political affiliations with the US.

"We had discussions in Russia as to how DNSSEC could work," said Twomey. "That has been a positive outcome."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion