What is DNSSEC?
DNSSEC is a technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall processii. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.
What’s to stop all the other parts of the addressing chain from employing DNSSEC?
Nothing. But like any chain that relies on another part for its strength, if you leave the root zone unsigned you will have a crucial weakness. Some parts could be trusted and others might not be.
How will it improve security for the average user?
Full deployment of DNSSEC will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup – complementing other technologies such as SSL (https:) that protect the “conversation”, and provide a platform for yet to be developed security improvements.
What actually happens when you sign the root?
“Signing the root” by using DNSSEC adds a few more records per top level domain to the root zone file. What are added are a key and a signature attesting to the validity of that key.
DNSSEC provides a validation path for records. It does not encrypt or change the management of data and is ‘backward compatible’ with the current DNS and applications. That means it doesn’t change the existing protocols upon which the Internet’s addressing system is based. It incorporates a chain of digital signatures into the DNS hierarchy with each level owning its own signature generating keys. This means that for a domain name like www.icann.org each organization along the way must sign the key of the one below it. For example, .org signs icann.org’s key, and the root signs .org’s key. During validation, DNSSEC follows this chain of trust up to the root automatically validating “child” keys with “parent” keys along the way. Since every key can be validated by the one above it, the only key needed to validate the whole domain name would be the top most parent or root key.
This hierarchy does mean however that, even with the root signed, full deployment of DNSSEC across all domain names will be a process that will take time since every domain below must also be signed by their respective operators to complete a particular chain of trust. Signing the root is just a start. But it is crucial. Recently TLD operators have accelerated their efforts to deploy DNSSEC on their zones (.se, .bg, .br, .cz, .pr do now with .gov, .uk, .ca and others coming) and others expect to as well.