DNSSEC moves forward a little
VeriSign intends to DNSSEC-sign the internet’s root zone and then the .edu, .com and .net zones – which are operated by the former domain monopolist – said VeriSign's Pat Kane, Vice-president of Naming Services, at the 33rd meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Cairo last week. Microsoft executive Shyam Seshadri explained at the meeting how Vista’s successor Windows 7 and Windows 2008 R2's DNS server will support DNSSEC signatures and their validation.
On the server side, zone-signing is supported through an offline signature tool, he said. Client machines automatically check whether their DNS server has checked the requested zone’s key. The client itself does not validate, said Sheshadri. Depending on the respective configuration or the chosen settings, the client will discard any DNS replies that haven't been validated by the server, he said. Microsoft has not yet integrated the latest measures to prevent "zone walking", a form of DNSSEC attack which allows attackers to recursively retrieve the contents of an entire zone. This is to be prevented by the NSEC3 standard, but this came too late for Microsoft's current work, explained Sheshadri, stating that Windows 7 will only become available in the first quarter of 2010.
The various registries and DNS administrators hope that by that time the root zone will also have been signed. ICANN and VeriSign have both put themselves forward regarding the question of who should handle the top level key management and hold the master key, although they suggest a system of "partial keys". VeriSign has the experience, has been in business for a long time and meets all the technical requirements, said Kane. ICANN's Rick Lamb pointed out that keeping the key management directly with IANA allows to handle both the validating and the signing of a zone in one place. Any transmission of the data, on the other hand, opens additional points of attack, he said.
The representatives of the National Telecommunications and Information Administration (NTIA), which reports to the US Department of Commerce, once again called on the members of the international community to have their say regarding the current consultation about signing of the root zone. Comments are due on 24th November.