Some interesting news, from a few years back – where a new root zone key was published. It was supposed to make the web a much more secure place, however there seems little evidence that this has succeeded, here’s a summary of the news release which was from 2012 I think.
RIPE NCC, an internet infrastructure company celebrates its publication of a root zone key that they claim will bring about a more secure web.
The organization said that this new key will enable the deployment of Domain Name Server Security Extensions (DNSSEC). This guarantees that when users type in a certain domain server name, they will be directed to the authentic site.
Daniel Karrenberg, the Chief Scientist of RIPE, stated that services that are secured by a public key, cannot be tampered with by criminals. He further stated that trust and identity are key for the internet and the Domain Name System was not credible to serve those needs.
It’s particularly relevant as nowadays many of use are needing to take security into our own hands, mainly due to the overall insecurity of the internet and HTTP specifically. The long list of countries who have been using DNS to enforce internet and content filters has added a further complication. These complications are all over and being further enforced by geo – restrictions designed to enforce copyright or maximizing profits. Which means many of us spend lots of our time searching for ways to bypass these blocks by using proxies or US residential IPs which are extremely difficult to find.
NS is a fundamental support system to the internet but has never had a security system that goes along with it. This in turn has led to many attacks in the past such as DNS cache poisoning. These type of attacks cause users to get malware or other viruses or they are directed to fraudulent websites where they are asked to input personal information.
DNSSEC uses digital signatures so that the DNS data that is received cannot be tampered with and is invisible to end-users. The digital signature feature does not slow down the speed at which the website loads.
All 13 of the worlds root names have switched to a signed root to enhance their security and prepare to meet global security needs. This enhancement also keeps them in the league of all other root names. So there may be some hope that in the future the internet becomes less segmented again as per the original concept. After all spending time searching for ways to bypass blocks and IP address just so I can watch UK TV in Germany seems a huge waste of time and resources.
The .uk and .org domains already use DNSSEC but Karrenberg expects the new security feature to be adopted by more top level domains (TLDs) and service providers in the upcoming months. He added that for this adoption to be successful it needs to be taken on at every level down the ISPs.
RIPE says that some users will have to upgrade their router hardware to benefit from the DNSSEC because some routers are not fit for the bigger package sizes of DNSSEC.
Organizational apathy has caused a worry in security experts because they think that regardless of the clear benefits some organizations will refuse to adopt the new enhancement to avoid change.
In the end, the benefits are clear but the adoptions process by all will be over years. Security experts predict that because of the security enhancement the add-on brings with it, eventually all root servers will succumb to the enhancement.