Notably responsible for attributing domain names, the Internet regulation authority has announced the deployment of DNSSEC which will allow them to better protect users against fake web sites.
This is a project that has been run by ICANN for a number of years, although technical and political obstacles have delayed its implementation. ICANN finally announced on Wednesday that they would be deploying DNSSEC on the Internet’s root domain name servers. This work has been performed in collaboration with the security company VeriSign and the United States Department of Commerce.
DNSSEC (Domain Name System Security Extensions) is a technology which offers a signature at the DNS root level. The thirteen root DNS servers also send encrypted signatures associated to each Internet address, which allows them to assure the domain names integrity.
According to the ICANN, the domain name system is consulted up to a trillion times per day by close to 1.8 billion internet users around the world. "By using a sophisticated public encryption key, DNSSEC will increase the trust and integrity in this process".
DNSSEC will help fight two attack methods which threaten internet users: DNS cache poisoning and man-in-the-middle attacks. Cache poisoning occurs when a Web sites legitimate backup request is high jacked to direct the Internet user to a fake site where malicious actions are inflicted. A man-in-the-middle attack occurs when a Web pages communication is intercepted by a third party site between the two ends, passing all communication between the end site and the end user through it without the user knowing.
For Dan Kaminsky, a computer security researcher who found a global DNS fault in the summer of 2008, search engines like Google and Bing will be able to use DNSSEC so that they can authenticate the identity of online sites, like banks, for example.
The benefits of deploying DNSSEC should be visible in 12 to 18 months, not making the internet safe, but "safer".
The AFNIC’s definition of DNSSEC: DNSSEC is an extension of the DNS protocol. This extension assures, through digital signatures, the authentication and integrity of DNS records. DNS, once secured, can be used to store application keys (or certificates). In this way, DNS can be considered as a PKI (Public Key Infrastructure).