. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
To whom it may concern:
The Domain Name System (DNS) -- the
integral, critical part of the Internet's infrastructure that converts
human-readable names to the information required for computers to
communicate -- was designed in a kinder, gentler time. It
was a time free of cache poisoning, man-in-the-middle, and injection
attacks. That innocence has been lost and DNS-based
attacks are a daily occurrence.
The technology to cryptographically verify
the validity of DNS data exists. Adoption is being
hindered by the lack of a signed hierarchy. Top-Level
Domains (TLDs) that are signed are less likely to be verified without
a signed root and other TLDs find this reason enough not to be
DNS Security (DNSSEC) is an Internet
standard defined by a set of RFCs. Every major
implementation of DNS server and recursive resolver software either
already supports the complete set of RFCs or will do so
DNSSEC is not a panacea. It will
not stop all attacks, including denial of service attacks, any more
than a life preserver will stop a bullet or a bicycle helmet will
protect against a heart attack. However, that is no reason
not to use all of the technologies at our disposal to stop as many
types of attacks as possible.
The root zone -- the list of Top Level
Domains and associated records -- is small. The resources
required to sign the root are minimal. Best practices are
are well understood and operational procedures are actively being
being tested by ICANN/IANA.
DNSSEC is international and has the backing
of many countries, some of which have already signed their
TLDs. DNSSEC is also promoted by organizations that
understand the need to protect both the global DNS and their slice of
it, including the US Office of Management and Budget, US National
Institute of Standards and Technology, and the US Departments of
Homeland Security and Defense.
The inertia that keeps the root from being
signed is just that, inertia. The technical and political
ramifications have been discussed in public fora for years and it is
clear that signing the root will neither change the existing
underpinnings of the DNS management nor prevent it from changing in
the future as it might without DNSSEC.
Now it is time to get all of the Top Level Domains, registrars, ISPs, and operating system and application vendors on board!
Concerned Internet Users