This is a good thing but there is a possible crisis coming. For some, May 5th may be the end of the online world. It depends. Let me tell you the story. While I'm at it, I'll help our competition along the way who missed a few salient points.
In short, all Internet-facing servers have a unique IP address and it is DNS which translates the friendly names we know into those addresses. Consider DNS the wise old sage of the Internet who has everyone in his rolodex.
Yet, not everyone on the Internet is as nice as you and I. There are people who would like to intercept DNS requests - imagine if (for instance) your online banking transactions were actually sent to a hostile phishing server, because the DNS request was intercepted and tampered with?
DNSSEC is the next generation of DNS; fundamentally it stands for DNS Security Extensions and, as you might gather, adds security to the DNS protocol.
DNSSEC is designed to protect the Internet from attacks like the one described above, otherwise known as 'man in the middle'.
There are other DNS vulnerabilities like cache poisoning. In this scenario, the bad guys aren't just intercepting one request and sending you elsewhere. Instead, they are seeking to inject bad data into your DNS cache which can affect future DNS lookups made.
This works because your computer doesn't want to be continually issuing DNS requests, nor does your ISP's server or any upstream server. Instead, through a series of caches, results are retained and gradually expire over time in which case they are retrieved anew.
DNSSEC is designed to remove these burdens.
Specifically, DNSSEC adds extra information which combine to provide origin authentication of DNS data, data integrity and authenticated denial of existence. DNSSEC will protect against most threats against the DNS protocol. (It won't offer any support against denial of service - or DoS - attacks, however.)
Now, DNSSEC is not new. In fact, a paper was published in August 2004 evaluating how effective DNSSEC would be against specific vulnerabilities. This is RFC 3833 and is part of the official set of Internet RFCs, the body of documents that prescribe how the Internet works.
Getting to the thrust and parry of robust debate, our lovable competition iTNews stated today that on May 5th the world's top domain authorities (led by ICANN among others) will complete the first phase of the roll-out of DNSSEC across the 13 root servers - that is, the very top-level DNS servers. Oh my!
That's why you should take the comment about 13 root servers with a grain of salt.
The truth is there are many hundreds of root servers at over 130 physical locations in many different countries. These aren't run by any one organisation but by twelve. In fact, ICANN themself - who iTNews refer to - have a bold blog posting 'There are not 13 root servers' dated way back in 2007.
There are networks upon networks of multiple servers all working together to handle the millions of DNS queries which the root servers receive constantly, minute upon minute, hour upon hour. Imagine the grind if the Internet depended on 13 root servers? Imagine the absolute risk if you just had to take down 13 root servers to take down the Internet?
Where the problem comes in, however, is that DNSSEC responses will be larger in size than previous DNS responses because (logically) more information is being carried, namely authentication information.
Just as the Y2K crisis arose from concern older equipment only used two-digit years to record time, so too 'the DNSSEC crisis', if we can call it that, is built on that damnable older equipment again. This time around the fear is that an older router or gateway won't recognise the laden data packets coming its way and will block them.
Our good friends at ITNEWS didn't take maths at school so we'll help them with this point. A DNSSEC response will be 2KB - four times the size of a previous 512 byte DNS response. iTNews note that this may 'potentially' be sent in multiple packets via the TCP protocol. Of course, the default packet size is 1536 bytes so I wouldn't say 2Kb is 'potentially' going to take multiple packets but that it definitely will require two.
The good news is that the protocol isn't new. It's been talked about and written about for most of this decade. You can be certain the big players - Cisco, major ISPs, the like - all have this matter under control in equipment manufactured and installed or upgraded in recent years.
Further, DNSSEC has been rolling out progressively across the mass collection of root name servers for several months now with few, if any, ill effects.
Still, if you have any concerns be sure to test your company, your home, your network using tools like OARC's DNS reply size test server.
Let's knock this problem over before the rest of the world get startled this time.