[LINK] DNSSEC

stephen at melbpc.org.au stephen at melbpc.org.au
Sat Jun 25 19:36:14 AEST 2011 

A Stronger Net Security System Is Deployed

By JOHN MARKOFF  www.nytimes.com  Published: June 24, 2011 

http://www.dnssec.org
http://www.dnssec.net
http://www.root-dnssec.org
http://www.dnssec-deployment.org


A small group of Internet security specialists gathered in Singapore this 
week to start up a global system to make e-mail and e-commerce more 
secure, end the proliferation of passwords and raise the bar 
significantly for Internet scam artists, spies and troublemakers.

“It won’t matter where you are in the world or who you are in the world, 
you’re going to be able to authenticate everyone and everything,” said 
Dan Kaminsky, an independent network security researcher who is one of 
the engineers involved in the project. 

The Singapore event included an elaborate technical ceremony to create 
and then securely store numerical keys that will be kept in three 
hardened data centers there, in Zurich and in San Jose, Calif. 

The keys and data centers are working parts of a technology known as 
Secure DNS, or DNSSEC. DNS refers to the Domain Name System, which is a 
directory that connects names to numerical Internet addresses. 

Preliminary work on the security system had been going on for more than a 
year, but this was the first time the system went into operation, even 
though it is not quite complete. 

The three centers are fortresses made up of five layers of physical, 
electronic and cryptographic security, making it virtually impossible to 
tamper with the system. Four layers are active now. The fifth, a physical 
barrier, is being built inside the data center. 

The technology is viewed by many computer security specialists as a ray 
of hope amid the recent cascade of data thefts, attacks, disruptions and 
scandals, including break-ins at Citibank, Sony, Lockheed Martin, RSA 
Security and elsewhere. It allows users to communicate via the Internet 
with high confidence that the identity of the person or organization they 
are communicating with is not being spoofed or forged. 

Internet engineers like Mr. Kaminsky want to counteract three major 
deficiencies in today’s Internet. There is no mechanism for ensuring 
trust, the quality of software is uneven, and it is difficult to track 
down bad actors. 

One reason for these flaws is that from the 1960s through the 1980s the 
engineers who designed the network’s underlying technology were concerned 
about reliable, rather than secure, communications. That is starting to 
change with the introduction of Secure DNS by governments and other 
organizations. 

The event in Singapore capped a process that began more than a year ago 
and is expected to be complete after 300 so-called top-level domains have 
been digitally signed, around the end of the year. Before the Singapore 
event, 70 countries had adopted the technology, and 14 more were added as 
part of the event. While large countries are generally doing the 
technical work to include their own domains in the system, the consortium 
of Internet security specialists is helping smaller countries and 
organizations with the process. 

The United States government was initially divided over the technology. 
The Department of Homeland Security included the .gov domain early in 
2009, while the Department of Commerce initially resisted including 
the .us domain because some large Internet corporations opposed the 
deployment of the technology, which is incompatible with some older 
security protocols. 

Internet security specialists said the new security protocol would 
initially affect Web traffic and e-mail. Most users should be mostly 
protected by the end of the year, but the effectiveness for a user 
depends on the participation of the government, Internet providers and 
organizations and businesses visited online. Eventually the system is 
expected to have a broad effect on all kinds of communications, including 
voice calls that travel over the Internet, known as voice-over-Internet 
protocol. 

“In the very long term it will be voice-over-I.P. that will benefit the 
most,” said Bill Woodcock, research director at the Packet Clearing 
House, a group based in Berkeley, Calif., that is assisting Icann, the 
Internet governance organization, in deploying Secure DNS. 

Secure DNS makes it possible to make phone calls over the Internet secure 
from eavesdropping and other kinds of snooping, he said. 

Security specialists are hopeful that the new Secure DNS system will 
enable a global authentication scheme that will be more impenetrable and 
less expensive than an earlier system of commercial digital certificates 
that proved vulnerable in a series of prominent compromises. 

The first notable case of a compromise of the digital certificates — 
electronic documents that establish a user’s credentials in business or 
other transactions on the Web — occurred a decade ago when VeriSign, a 
prominent vendor of the certificates, mistakenly issued two of them to a 
person who falsely claimed to represent Microsoft. 

Last year, the authors of the Stuxnet computer worm that was used to 
attack the Iranian uranium processing facility at Natanz were able to 
steal authentic digital certificates from Taiwanese technology companies. 
The certificates were used to help the worm evade digital defenses 
intended to block malware. 

In March, Comodo, a firm that markets digital certificates, said it had 
been attacked by a hacker based in Iran who was trying to use the stolen 
documents to masquerade as companies like Google, Microsoft, Skype and 
Yahoo. 

“At some point the trust gets diluted, and it’s just not as good as it 
used to be,” said Rick Lamb, the manager of Icann’s Secure DNS program. 

The deployment of Secure DNS will significantly lower the cost of adding 
a layer of security, making it more likely that services built on the 
technology will be widely available, according to computer network 
security specialists. It will also potentially serve as a foundation 
technology for an ambitious United States government effort begun this 
spring to create a system to ensure “trusted identities” in cyberspace. 

A version of this article appeared in print on June 25, 2011, on page B1 
of the New York edition with the headline: A Stronger Net Security System 
Is Deployed..
--

Cheers,
Stephen

More information about the Link mailing list