The move, which has been happening gradually since the end of January, sees the j.root-servers.net server switch over to a signed version of the DNS protocol, which makes it much harder to spoof DNS queries and mount other attacks on the system. C
Changing the entire root zone to DNSSEC is significant, because these 13 services sit at the top of the hierarchy for the DNS system, which is used to translate web domains such as Infosecurity-US.com to the underlying IP address that locates the destination server. The DNS system works in a hierarchy, in which requests are sent to DNS servers to translate these domain addresses. If the DNS server does not have the answer, it asks another server further up the chain. This process repeats until the root server eventually comes into play.
The process of changing over to a secure DNS root zone is still not complete, however. The signatures served by the root servers cannot yet be validated, because the public key has not yet been disclosed. This key is due to be published in early July, after a key ceremony involving representatives from different countries. "The deployment of the signed root zone is happening now, with some of the root servers already providing signed responses," said root-servers.org, the site responsible for documenting root zone operations. "Although not yet useful for validation purposes, these signed responses are larger than unsigned responses and this may have an operational impact for resolvers."
The implementation of DNSSEC in the DNS root zone is a joint effort between the Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign and the US Department of Commerce.