Home & Office

Net's 13 root servers now DNSSEC-signed

The last of the Internet's 13 root servers transitioned to DNSSEC signing Thursday Singapore time. Local ISPs say no impact to users' online activities.
Written by Vivian Yeo, Contributor

SINGAPORE--Concerns over disrupted online access went unfounded, even as all of the Internet's root servers completed the transition to a more secure protocol known as DNSSEC (Domain Name System Security Extensions) Thursday.

J-Root, the last of the 13 Internet root servers to make the switch, began serving a signed root zone between 5 p.m. and 7 p.m. UTC on May 5, which was between 1 a.m. and 3 a.m. Singapore time Thursday. This means all the root servers now serve a Deliberately Unvalidatable Root Zone (DURZ), the first step in the deployment of DNSSEC. In other words, root servers will return signed DNSSEC answers to queries asking for them.

The first root server made the transition in January 2010.

DNSSEC is an encrypted protocol that aims to combat problems such as DNS cache poisoning, which allows an attacker to falsely redirect a user to another domain.

Signing of DNSSEC at the root zone of the Internet is administered by VeriSign, which also operates two of the root servers.

A status update on the Root DNSSEC Web site, dated May 5, reported that "no harmful effects have been identified" following the transition of all 13 root servers to the DURZ.

Prior to the conversion of the J-Root, there were concerns that the switchover could "kill the Internet". The Register reported last month that normal DNS traffic are small--under 512 bytes--while signed DNSSEC packets are significantly larger. The larger data packets pose a problem as some network gear had been configured to reject traffic above 512 bytes.

Benjamin Tan, managing director of SuperInternet, pointed out to ZDNet Asia in an e-mail that larger packet sizes have been supported for over a year now, since the introduction of Bind 9.5.0. Bind is a widely-used DNS server standard.

"So unless there are [companies that] have not updated for more than a year, this should not be problem," he said.

A spokesperson for SingNet said in an e-mail that the ISP's DNS servers are DNSSEC-compliant. It also does not anticipate any major problems for users as SingNet "has been in consultation with SGNIC (Singapore Network Information Centre) to ensure a smooth transition and no disruption to normal operations", he added.

Editorial standards