Yesterday VeriSign, which operates two of the worlds 13 root servers for ICANN along with the .com, .net, and .edu domains, announced more details of their implementation of DNSSEC for the .com and .net domains. See CNNMoney:
Most significantly, the roll-out is expected to be completed within the first quarter of 2011, which is just over a year away. Once the top level domain and the root servers are signed (root signing will be complete by July 1, 2010), implementation of DNSSEC becomes less complex for entities within those domains. Each entity with a web site (or their service provider) must also implement DNSSEC for this protection to work for them.
I would expect that any entity with web sites that access personal data (credit card, banking, health care information) would be motivated to begin DNSSEC adoption immediately because once web sites can be authenticated they will very quickly be required to be authenticated - either through regulation or through litigation liability. No one wants their customers to be a victims of cache poisoning or man in the middle attacks.
The lead times for implementation can be months long if you do it yourself using open source tools. The penalty for messing up DNSSEC is for a site to go dark - so the stakes become quite a bit higher than simply running DNS.
Progress! Progress to a safer Internet.
Comments