Icann: Coders and ISPs vital to net security

The internet watchdog says DNSSEC encryption, which makes it harder for hackers to subvert web traffic, will only work if developers and ISPs get behind it
Written by Tom Espiner, Contributor

Developers and internet service providers will need to participate if the encryption of a fundamental internet protocol is to succeed, according to Icann.

Icann is the US-based organisation responsible for running the domain-name system (DNS), which is the addressing system used to route information packets on the internet. The DNS has long been known to have numerous critical vulnerabilities, and the use of Domain Name System Security Extensions (DNSSEC), an encrypted protocol, would mitigate many DNS flaws.

Paul Twomey, the president and chief executive of Icann, told ZDNet UK on Friday that it was "important to get the application-layer community involved and to recognise that DNSSEC should move through all applications".

ISPs will also be vital to the next stage of the deployment, said Twomey, who anticipates that initially there will be a two-tier internet system, with one tier encrypted.

"It's going to take some time to deploy and further discussions, as there are a lot of implementation issues for ISPs in how they support DNSSEC," said Twomey. "[Users] will have to have access to both signed and unsigned roots. It's not like we can turn DNSSEC on tomorrow."

Icann announced last Wednesday that, in an interim measure, VeriSign will sign DNSSEC at the root zone of the internet.

Twomey said DNSSEC deployment would mitigate DNS cache poisoning, in which users are unwittingly redirected to fake internet sites.

"It means that users will have confidence that content comes from that site, not from some man-in-the-middle attack," said Twomey. "DNSSEC itself is not a new protocol, but moving towards having it deployed is a major step. This deployment will be seen as major milestone in addressing fundamental security issues in a system designed 35 years ago."

DNSSEC deployment has been discussed since at least 2005, and has in part been held up by political issues as to who should sign the root. Twomey said that agreement between different organisations and stakeholders had now been achieved.

"This really points out the value of the Icann model," said Twomey. "We are a community-based organisation, and that brings a series of understandings."

Twomey said technical people in the internet security and stability community have had discussions globally, including within countries that do not historically have political affiliations with the US.

"We had discussions in Russia as to how DNSSEC could work," said Twomey. "That has been a positive outcome."

Editorial standards