Icann: Coders, ISPs vital to Net security

Internet watchdog says DNSSEC encryption, which makes it harder for hackers to subvert Web traffic, will only work if developers and ISPs get behind it.

Developers and Internet service providers will need to participate if the encryption of a fundamental Internet protocol is to succeed, according to the Internet Corporation for Assigned Names and Numbers (Icann).

Icann is the U.S.-based organization responsible for running the Domain Name System (DNS), which is the addressing system used to route information packets on the Internet. The DNS has long been known to have numerous critical vulnerabilities, and the use of Domain Name System Security Extensions (DNSSEC), an encrypted protocol, would mitigate many DNS flaws.

Paul Twomey, the president and chief executive of Icann, told ZDNet UK last week that it was "important to get the application-layer community involved and to recognize that DNSSEC should move through all applications".

ISPs will also be vital to the next stage of the deployment, said Twomey, who anticipates that initially there will be a two-tier internet system, with one tier encrypted.

"It's going to take some time to deploy and further discussions, as there are a lot of implementation issues for ISPs in how they support DNSSEC," said Twomey. "[Users] will have to have access to both signed and unsigned roots. It's not like we can turn DNSSEC on tomorrow."

Icann announced last Wednesday that, in an interim measure, VeriSign will sign DNSSEC at the root zone of the Internet.

Twomey said DNSSEC deployment would mitigate DNS cache poisoning, in which users are unwittingly redirected to fake Internet sites.

"It means that users will have confidence that content comes from that site, not from some man-in-the-middle attack," said Twomey. "DNSSEC itself is not a new protocol, but moving towards having it deployed is a major step. This deployment will be seen as major milestone in addressing fundamental security issues in a system designed 35 years ago."

DNSSEC deployment has been discussed since at least 2005, and has in part been held up by political issues as to who should sign the root. Twomey said that agreement between different organizations and stakeholders had now been achieved.

"This really points out the value of the Icann model," said Twomey. "We are a community-based organization, and that brings a series of understandings."

Twomey said technical people in the Internet security and stability community have had discussions globally, including within countries that do not historically have political affiliations with the United States.

"We had discussions in Russia as to how DNSSEC could work," said Twomey. "That has been a positive outcome."