IP address management group recommends fast introduction of DNS Security
The members of the Réseaux IP Européens (RIPE) address-management group recommend implementation of DNS root zone signing via DNSSEC – (the DNS Security Extension) as soon as possible. At their meeting in Dubai, the RIPE members were in favour of a letter drafted to the National Telecommunications and Information Agency (NTIA). The US authority looks after the root zone and the private DNS managers of the Internet Corporation for Assigned Names and Numbers (ICANN). It recently invited comments about possible scenarios for signing the root zone.
The RIPE members have long demanded the introduction of DNSSEC to increase the security within the DNS. DNSSEC allows the PKI-based authentication of DNS server responses, which can help prevent problems like cache poisoning attacks. To use DNSSEC in a sensible way, however, all DNS level must be made secure – not just individual Top Level Domains (TLDs), but also the root zone itself. So far, the concept's implementation was impeded by the fact that by signing the root zone (which is managed by the NTIA), US authorities would also take control of key management.
From the perspective of the RIPE members present in Dubai, DNSSEC is not about "control". "It is about authentication and identification", write the members in one of the 12 principles they intend to send to the NTIA once the entire membership has been consulted via its mailing list. DNSSEC must be regarded as a global project and not as a project by one government or interest group, says the draft.
In Dubai, there was considerable discussion about the phrasing of the document, as some parts of it would have inherently endorsed the current control structures. Many RIPE members don't wish to go this far. The much postponed privatisation of the DNS management has been a thorn in many people's sides. Therefore, the diplomatic wording that resulted was that the procedures relating to the signing of the root zone will orient themselves on the applicable DNS management model. Organisational changes must not result in a change of keys, said the document, and continues that the chosen solution also needs to be a compromise: Both the security levels and a trust in the solution should be equally considered.
The NTIA presented several possible concepts, and further suggestions were made by ICANN and VeriSign. While ICANN wants to associate the signing of the root zone more closely with IANA, the root zone management authority it runs under contract to the US authorities, VeriSign doesn't only put itself forward for the signing of the zone but also for the management of the master Key Signing Key. VeriSign assigns the current root zone to the 13 DNS root servers and operates two of these root servers, the .com zone and several other TLDs.
- VeriSign wants to share (a small part of) the DNSSEC keys
- The US to implement DNSSEC in all federal offices
- Is DNSSEC the way to go?
(Monika Ermert) /