First root server provides a DNSSEC-signed zone as of December 1st
Joe Abley of ICANN and VeriSign manager Matt Larson announced, at the 59th meeting of the "Réseaux IP Européens" (RIPE) in Lisbon, that, starting on the 1st of December, the central root zone of the Domain Name System (DNS) will be signed, deploying the DNS Security Extensions (DNSSEC) protocol, which has been discussed for years. However, the signed root zone will be distributed only gradually to a total of 13 root servers, while the public key is slated for distribution starting on the first of July, 2010. Responses cannot actually be validated until then. DNSSEC is designed to ensure that responses to DNS requests only come from authorised servers.
Ever since security expert Dan Kaminsky showed how easy it was to falsify such responses and deceive users issuing requests, experts have been under pressure to introduce DNSSEC. The US Department of Commerce released the date of the accelerated implementation, and also decided that VeriSign and ICANN should work together to sign the root zone.
Attendees at RIPE welcomed the news that DNSSEC was finally being deployed. Olaf Kolkman of Nlnet Labs called the gradual approach, "smart". Abley explained that the decision to proceed gradually was intended to prevent DNS from buckling under the load of the anticipated huge number of responses to root server requests. He said that, it is important to observe how many servers on the net re-route the signed responses and use unsigned variants whenever a root server provides the signed zone.
The design choice of a 1024 bit RSA root zone key, rather than the longer 2048 bit key, may have also been due to the ambitious deployment date. The zone will be signed with NSEC instead of the next generation NSEC3 standard. Because it is valid for only four months, the chosen key should be adequate, despite directives from US authorities to migrate to longer keys. The master key, however, will use the longer variant (2048 bit RSA). That key will only be changed every two to five years.
In recent months, increasing numbers of ccTLD managers have announced plans to sign their zones with DNSSEC. Most recently, the Swiss .ch and .li registry switch announced the change to DNSSEC. At the RIPE meeting in Lisbon, Sara Monteiro of the FCCN .pt registry, said that she was just months away from DNSSEC signing. DeNIC, on the other hand, recently started a two-year trial programme. The more dense the DNSSEC chain becomes, the more secure it will be. However, experts expect some drawbacks as well; especially domains that cannot be accessed because responses are not signed on time.