It is critical to sign the root server as soon as possible. A signed root will speed adoption of this badly needed improvement in Internet architecture and it will do so at a fraction of the cost internet users endure today in their efforts to protect themselves. It will greatly reduce losses from avoidable malicious activity. Importantly, it provides a trust anchor that is essential for deployment of Internet 2 and cloud computing applications that can achieve needed efficiencies in health care, insurance and government.
The cost to sign the root is trivial, the worldwide benefit huge. All of the technical challenges have been addressed by a worldwide who’s who of very smart people. I can go on and on but others have also made the case: Sign the Root.
As noted in a recent article in Network World, the Department of Commerce sought comments through November 24, 2008 on signing the root. The memo and comments are posted here: http://www.ntia.doc.gov/DNS/DNSSEC.html. Let’s hope they are listening.
Another holdup is the difficulty in learning DNSSEC and the ongoing cost and risk of operating DNSSEC. Do it yourself DNSSEC requires a relatively high level of technical knowledge. There is a steep learning curve for implementation and probably a half time person for ongoing operations. This is too much for all but the largest organizations and service providers.
There are a lot of technical reasons for this difficulty but in short it is due to cryptographic operations that cannot be done securely while connected to the Internet. Since DNS is connected to the internet and runs 24/7 this is not a trivial problem and so manual operations are required and everyone knows that is another big risk.
My company, Secure64 Software, produces a DNSSEC signing server that automates DNSSEC signing functions. It installs in minutes and can be operational in a matter of hours. Technical knowledge and time required to operate is only marginally greater than running authoritative DNS today. It works with all of the primary DNS servers in use today. If you want to know more, click here: Secure64DNSSigner - DNSSEC made simple and secure.
Comments