From the news: More security work to do

The U.S. government has won plaudits from internet experts for mandating the use of a new security mechanism to protect its Web servers from being impersonated with bogus Web sites. But some say the government needs to take further action – not just to protect its own sites, but also the millions of others that businesses, nonprofits and other organizations operate around the world.

To seal the deal, the government needs to apply the Domain Name System Security Extensions (DNSsec) to cryptographically sign, or authenticate, the root of the DNS system, not just its own agency Web sites, according to Network World. The root consists of the 13 server clusters located around the world that resolve lookups for domain names and sit at the pinnacle of the Internet’s hierarchy of servers.

The United States could make this happen through its sponsorship of ICANN, the Internet Corporation for Assigned Names and Numbers, a nonprofit corporation in California set up to handle Internet tasks such as operating the root zone and managing domain names and IP addresses. The Commerce Department issued a request for public comments about DNSsec deployment on the root zone in October 2008 but has not yet acted on those recommendations. Lack of DNSsec action at the root level is the result of political wrangling in the Internet community, said Kim Davies, ICANN’s manager of root-zone services.

DNSsec works best and is most efficient when it is applied in an interlocking chain across all levels of the Internet’s hierarchy of servers: the root, top-level domains — such as .gov or .com — and subdomains — such as IRS.gov, or FCW.com.

But because so many players operate on different parts of the Internet, none has considered it to be in their interest to use DNSsec if other levels of the infrastructure do not use it. The U.S. government got the ball rolling last month when the General Services Administration started to use DNSsec to sign the .gov top-level domain. Individual agencies are supposed to sign their subdomains by this December.

Outside government, VeriSign promised last month to deploy DNSsec across all of the top-level domains it operates, including .com and .net, within two years, according to Network World.

Internet experts applaud the U.S. government for mandating the use of a new security mechanism to protect its Web servers from being impersonated with bogus Web sites. But some say the government needs to take further action that will more fully and efficiently protect its sites, in addition to the millions of others that businesses, nonprofits and other organizations around the world operate.

To seal the deal, the government needs to apply the Domain Name System Security Extensions (DNSsec) to cryptographically sign, or authenticate, the root of the DNS system, not just its own agency Web sites, according to Network World. The root consists of the 13 server clusters located around the world that resolve lookups for domain names and sit at the pinnacle of the Internet’s hierarchy of servers.

The United States could make this happen through its sponsorship of the Internet Corporation for Assigned Names and Numbers (ICANN), a nonprofit corporation in California set up to handle Internet tasks such as operating the root zone and managing domain names and IP addresses. The Commerce Department issued a request for public comments about DNSsec deployment on the root zone in October 2008 but has not yet acted on those recommendations. Lack of DNSsec action at the root level is because of political wrangling in the Internet community, said Kim Davies, ICANN’s manager of root-zone services.

DNSsec works best and is most efficient when it is applied in an interlocking chain across all levels of the Internet’s hierarchy of servers: the root, top-level domains — such as .gov or .com — and subdomains — such as IRS.gov, or FCW.com.

But because so many players operate different parts of the Internet, none has considered it to be in their interest to use DNSsec if other levels of the infrastructure do not use it. The U.S. government got the ball rolling last month when the General Services Administration started to use DNSsec to sign the .gov top-level domain. Individual agencies are supposed to sign their subdomains by this December.

Outside government, VeriSign promised last month to deploy DNSsec across all of the top-level domains it operates, including .com and .net, within two years, according to Network World.