Client Testimonial
"Many IT service providers are more interested in selling hardware than providing a prompt and value adding service. This is not the case with Dual Layer." read more »
Harmony Capital
Client Login
 Quick Contact
DNSSEC on all root servers
Category : General 11 May 2010 01:34 AM | Industry News
It is said that DNSSEC is an encrypted protocol whose goal is to battle DNS cache poisoning troubles, which lets an attacker transmit a user to another domain in a fake way. VeriSign supervises the signing of DNSSEC at the root zone of the Internet. VeriSign also functions two of the root servers.
The top domain authorities (led by Internet Corporation For Assigned Names and Numbers (ICANN) and VeriSign, Inc., with support from the U.S. Department of Commerce) are continuing to test DNSSEC-enabled (Domain Name System Security Extensions) queries to the 13 root DNS servers. The first root server (L-root) began serving the signed root in the form of the DURZ (deliberately unvalidatable root zone) in late January 2010.
Not all DNS root server will respond to every request, the user machine DNS resolver request one by one the 13 root server until you return to a satisfactory answer. When the 13 units with DNSSEC signature feature of the root server all on the line, all the old equipment, the response will not reach the enterprise network, Tonkin hopes to solve the problem of large ISP, so that home users are not affected.
Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes. Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.
The fix enables the cluster to begin serving a Deliberately Unvalidatable Root Zone (DURZ), which would eventually enable the ability to serve signed addresses. The industry bodies involved, ICANN and Verisign, expect to distribute signed keys through the servers on 1 July. According to a post on the Root DNSSEC website, "no harmful effects have been identified" following the transition.
DNSSEC is undergoing a phased rollout and it won't be ready for full use for a couple of years, but when the work is complete the security of the Internet infrastructure will be vastly improved."