The ICANN and the VeriSign with assistance from the US Department of Commerce will shortly complete the digital signing of the root zone content with the use of the DNSSEC technology. From the technical standpoint, DNSSEC is an extension of DNS which allows digital signing of the address information. In other words, a domain zone operator will sign entries on adequacy of domain names and IP-addresses in his zone. DNSSEC will permit to overcome such fundamental DNS drawbacks as, for example, scouring of cash memory which allows attackers (computer trespassers) reroute Internet users to their servers by substituting the match between domain names and IP-addresses.
In order to verify the signature one needs an open key belonging to whoever has generated data on addressing in a domain zone. The root center has its own secret key; however the problem is that it is unclear who precisely should hold it. The difficulty is that the DNS of the Internet has a sole root zone and domains are built in accordance with hierarchic structure. That is why construction of a “flat” trust structure is organizationally difficult to achieve. Discussions about when zone singing would take place were underway for several years. The question is who will be holding keys and how will it tell on the DNS system and the Internet on the whole. Last fall, the National Telecommunications and Information Administration, a division of the US Department of Commerce, announced feasible scenarios for root zone signing. The ICANN and the VeriSign each offered their alternatives. After a year of public debates and discussions, the ICANN, the VeriSign and the NTIA have come to a roadmap according to which the current procedure of introduction of amendments to the zone would remain unchanged, and the major stakeholders would get additional roles: the ICANN shall hold the Trust Anchor, a Key Signing Key, the NTIA, as before, shall confirm amendments and the VeriSign shall hold the Zone Signing Key, which is used for generating the root zone signing, and implement its placement on a hidden master-server. Then the zone shall be posted by the root zone operators, RIPE NCC being one of them running the root server k.root-servers.net
According to the preliminary plan, a test launch of DNSSEC in the root zone will take place in May-June. The final decision on its signing will be taken basing on results of the test launch. If the endeavor a success, in June and July the ICANN will be holding two stages of the signing in two data-centers: in Virginia and in Los-Angeles, and consequently will post complete root zone signing on 15 July 2010.
In order to ensure the DNS system’s security and enhance transparency of the entire process all stages of the root zone signing will be controlled by independent representatives (crypto-officers) of the Internet community. Their selection criteria were competence and nonpartisanship, i.e. no association with any organization implementing the signing- that is, the ICANN, the VeriSign and the US Department of Commerce.
In compliance with these requisites seven crypto-officers were picked for each datacenter that will hold singing, as well as seven so-called recovery key share holders. Mr. Dmitry Burkov, a former member of the Council of the Coordination Center for ccTLD .RU and a member of the Board of RIPE NCC, has been selected as a the crypto-officer from Russia. In the primary signing processes are a success, selected crypto-officers will be performing their functions on the annual basis.
