Signing the Root

One of the most significant moments in the history of the internet occured last week though many people will not have noticed.


For the billions of Internet users around the globe, their electronic on-line world won’t have skipped a beat last week.

That’s great news for me and many of my colleagues both in Nominet and around the world, for yesterday the root of the Internet was finally signed with DNSSEC security extensions.

This technology change has been ten years in the planning. It starts to fix a fundamental flaw in the Domain Name System (DNS) that has been present since its inception 25 years ago.

When the DNS was invented in the labs and universities of southern California, nobody could have envisaged how the Internet would grow so rapidly in the 21st century.

The DNS was designed as a simple mechanism that would allow trusted computers to communicate with one another. The fact that this simplicity has enabled such a phenomenal growth is a testament to the brilliance of that design.

But now we have billions of dollars of transactions happening every day across that network. Millions of users trust their personal and financial information to websites around the world.

With that growth, as in all walks of life, comes the criminal fraternity. They want to find ways in which to steal some of those billions and will happily throw their efforts into cracking into the DNS to achieve those goals.

DNSSEC fixes that problem: it cleverly expands upon the DNS protocol and adds cryptographic signatures into the transactions between the servers that resolve domain names. This prevents anyone from trying to spoof or intercept DNS traffic between computers.

The end result is that when you type the domain name for your bank or building society, you can be reassured that it actually is your bank and not someone trying to impersonate them. Your emails will reach the destination intended and your information will stay with those who you trust.

Reverse engineering this technology into the DNS has been a long journey for the technical community. There has been much criticism of DNSSEC along the way. Many have criticised it as being too little, too late and only fixing a small part of a much larger problem.

It’s certainly no cure-all for the much-documented ills of the Internet, but it reaches into the heart of the network and fixes a key flaw that if left unchecked is an open door to attacks on our privacy and security.

So as with many, I’m thrilled that the key foundation: the implementation of DNSSEC into the root of the Internet has taken place so quietly and successfully. The Internet is running just the same today as it was yesterday. But now we have a security platform upon which we can start to build.

The challenge now is to push the adoption of this technology out to the boundaries of the Internet, across continents, to developing countries and down to the very browsers, which we the public increasingly rely upon to go about our daily lives.

"Recommended For You"

DNS inventor decries in-fighting over security standards US Internet providers clamp down on botnets, domain name fraud