DNSSEC on all root servers - updated
On Wednesday (5th May) the last of the 13 authoritative root servers for the domain name system switched over to the DNS Security Extensions (DNSSEC) security protocol. DNSSEC is intended to prevent DNS exploits such as cache poisoning. All 13 root servers are now serving a signed version of the root zone. However, it is not possible to validate these signatures at present as the public key remains undisclosed. This precautionary measure is intended to ensure that for the time being it remains possible to switch back to an unsigned root zone, should the need arise.
There have been no reports of any problems in the immediate aftermath of VeriSign's J root server starting to serve DNSSEC signatures. Experts at the 60th RIPE meeting in Prague were almost unanimous in predicting a glitch-free switchover, following the successful switchovers of the other 12 root servers in recent months. The only apocalyptic note was sounded by a countdown to the demise of the unsigned root zone.
Yesterday's changeover does mean the .root zone is now dead. VeriSign, which operated the master server for the root zone, has for several years used a single entry under .root, that served the purpose of checking that the bulky root zone had been transferred. According to Jaap Akkerhuis, a DNS expert at nl.netLabs, the creation of the .root entry was prompted by a complete outage of the .com zone following a data transfer error. Rigid DNSSEC procedures render this trick for root servers operated by VeriSign and the Internet Corporation for Assigned Names and Numbers (ICANN) obsolete.
There will also be a key ceremony (Text file) in June, involving 21 volunteer 'crypto officers' and 'recovery key share holders'. The 14 crypto officers must travel to the ceremony in two groups in order to authorise the generation of new zone signing keys for VeriSign operation using the ICANN master key. ICANN employee Rick Lamb reports that there were 61 applications for these posts, which, in addition to being voluntary, entail significant expense. Key holders must pay their own travel costs and are not compensated for lost working time. Tight budgets at ICANN may be one reason it has chosen to offload these costs.
As a result, only four candidates were forthcoming from Africa and only five from Latin America. Asia managed to put up 10 candidates, European and US businesses and organisations 20 each. Lamb adds that ICANN is now considering whether there should be fewer US officers and more from other countries to make up for the fact that all keys will be generated exclusively at two sites in the US. In the opinion of many RIPE experts, a non-US location is essential.
Daniel Karrenberg, Chief Scientist at RIPE 60 in Prague, asked Lamb if the US administration was blocking new locations to which Lamb replied, "Block is a strong word." According to Lamb, a third location is currently under discussion. For example, Sweden, which has signed its .se zone for many years and operates one of the 13 root servers, would be a logical source of potential candidates. "Imagine what would happen if US airspace was shut down by something like the recent incident in Iceland or a terror alert," said Jim Reid, head of the DNS working group at RIPE. Without the correctly signed key material delivered on schedule, things could get pretty gloomy in the DNS. (Monika Ermert)
- More security for root DNS servers, a report from The H.