Home & Office

Crypto project seeks to lock down net security

VeriSign and Icann have joined with two US government agencies to encrypt one of the fundamental internet protocols.
Written by Tom Espiner, Contributor
VeriSign will administer encryption for the internet's Domain Name System, according to the organization that oversees the fundamental internet address system.

Icann said on Wednesday that VeriSign will sign the Domain Name System Security Extensions (DNSSEC) at the root zone of the internet. The announcement suggests a resolution to a longstanding political argument about who would have responsibility for such encryption.

The US Department of Commerce's National Telecommunications and Information Administration and National Institute of Standards and Technology are working with Icann and VeriSign on the initiative.

In an interim arrangement between the participating organizations, VeriSign will manage and have operational responsibility for the zone signing key, while Icann will manage the key-signing-key process. Icann said it will work closely with VeriSign regarding the operational and cryptographic issues involved.

"This is very important for the global community of internet users. We will work closely with all participants on this crucial security initiative," Paul Twomey, president and chief executive of Icann, said in a statement.

The Domain Name System (DNS), the addressing system used to route information packets on the internet, has long been known to have numerous critical vulnerabilities. Due to the open nature of DNS architecture, DNS cache poisoning, which allows an attacker to falsely redirect a user, has been a recurrent problem since at least 2005. In 2008, security researcher Dan Kaminsky outlined a fundamental DNS flaw which forced multiple vendors to scramble to produce a patch.

The use of DNSSEC, an encrypted protocol, would mitigate many DNS flaws, but has so far been unworkable due to political tensions between DNS-using organizations, who have been unable to agree who would sign the root. This was recognized by the DNSSEC Deployment Working Group in 2005.

"Unfortunately, there are political issues," the working group said at the time. "The root is just another trust anchor but it is a 'special' one."

At the time of writing, Icann had not commented as to how these political issues had been resolved. However, Icann said in a statement that it "recognizes the urgency surrounding the issue of electronically signing the internet's 'root zone'".

This article was originally posted on ZDNet UK.

Editorial standards