[To: council[at]gnso.icann.org; liaison6c[at]gnso.icann.org]
[To: ga[at]gnso.icann.org; announce[at]gnso.icann.org]
[To: regional-liaisons[at]icann.org]
http://www.icann.org/en/announcements/announcement-24jul08-en.htm
Domain Name Security Paper Released
24 July 2008
Marina Del Rey, Calif: For many years, the Internet community
has been developing and enhancing a Domain Name System (DNS) security
technology called DNSSEC.
ICANN's strategic
and operating
[PDF, 480K] plans call for ICANN to be operationally ready to deploy DNSSEC at
the root level and work with relevant stakeholders to determine how this should
be implemented. With input from many stakeholders, ICANN has prepared a
document describing this path to operational readiness for signing the root.
The purpose of this paper
[PDF, 342K] released today is to:
a) articulate ICANN's initiatives toward operational readiness
for DNSSEC signing; and
b) help determine the right structures so ICANN is
"…prepared to digitally sign the root using DNSSEC technology by late
2008", as directed in the July 2008 – June 2011 ICANN Strategic Plan after
consultation with stakeholders and having sought the necessary approvals.
Specifically, this document is not a roadmap for DNSSEC
deployment.
Ultimately, this roadmap will be developed by a community
consultation process, and require relevant approvals through ICANN's IANA
functions contract with the U.S. Department of Commerce. A public forum has
been established at http://forum.icann.org/lists/dnssec-roadmap/
and ICANN actively seeks your input on this important matter. Email comments to
dnssec-roadmap@icann.org
In addition recently, a prominent security researcher privately
reported two domain name system (DNS) vulnerabilities to many DNS name server
developers.
DNSSEC would be a solution to these vulnerabilities.
The details of the vulnerabilities have not yet been disclosed
publicly at this stage so that developers can produce patches to reduce the
threat these vulnerabilities pose. Private disclosures of this kind also give
DNS operators an opportunity to patch systems before the vulnerabilities can be
exploited for malicious or criminal purposes. ICANN understands there will be a
public announcement of these vulnerabilities by the researcher in coming weeks.
This vulnerability does not affect root-level servers or
services that provide authoritative name service at the top level. But it does
represent a threat for domain name servers that operate between end users and
the root; servers operated by Internet Service Providers or large enterprises.
Commercial service providers in general are aware of this issue, and are
working with vendors to update their software to the latest versions.
ICANN's Security Stability Advisory Committee will be examining
this issue and may report more fully later. ICANN urges any entity operating
name services to update to the current versions to provide greatest protection.
Glen de Saint Géry
GNSO Secretariat
gnso.secretariat@gnso.icann.org
http://gnso.icann.org