October 10th, 2008

US proposes DNS fix: digital signatures

Posted by Richard Koman @ October 10, 2008 @ 9:45 AM

Categories: ICANN, Security

Tags: Digital Signature, DNS, ICANN, Domain Names, Digital Signatures, Authentication/Encryption, Networking, Security, Internet, Richard Koman

The Commerce Department is considering deploying digital signatures to make DNS less susceptible to hacking, ComputerWorld reports. Under the proposal, DNS records would be signed by DNSSEC (Domain Name and Addressing System Security Extensions).

There have been some commitments to the system for the following top-level domains: .gov (US government), .se (Sweden), .br (Brazil), .pr (Puerto Rico), .bg (Bulgaria), as well as the .org TLD.

But to make the system really work, ISPs, domain registrars and registries and others would have to upgrade.

“DNSSEC signed root zone would represent one of most significant changes to the DNS infrastructure since it was created,” according to a notice issued by the U.S. Department of Commerce in the Federal Register, a daily digest of U.S. government notices.

Meanwhile a battle is brewing between ICANN and Verisign about who should hold the keys.

ICANN has submitted a proposal advocating that it should hold the keys. ICANN said it is a nonprofit, transparent organization that is “not subject to market-based profit and loss considerations.”
VeriSign countered in its proposal that it should be able to hold one kind of key necessary for the signing process, and the other kind should be split among other entities.