[AfrICANN-discuss] DNSSEC -- ICANN announcement et article Blog de
SVG en francais
Anne-Rachel Inné
annerachel at gmail.com
Thu Jun 4 19:27:33 SAST 2009
ICANN to Work with United States Government and VeriSign on Interim Solution
to Core Internet Security Issue
Immediate security concerns addressed by DNSSEC
3 June 2009
Washington, D.C.—June 3, 2009—ICANN will work with the U.S. Department of
Commerce's National Telecommunications and Information Administration
(NTIA), the National Institute of Standards and Technology (NIST) and
VeriSign on the goal of an operationally Signed Root Zone as soon as
feasible in 2009.
In a letter agreeing to participate, ICANN recognizes the urgency
surrounding the issue of electronically signing the Internet’s "root zone"
but stresses the need for this process to be interim.
" We’ve been working towards a signed root for more than three years. In
fact, ICANN has operated a root zone signing test bed for more than two
years. So ICANN is aware of the urgency around signing the root to enhance
stability and security" Paul Twomey, President and CEO of ICANN said.
"ICANN has agreed to work with VeriSign and the Department of Commerce to
first test, and then have production deployment of DNS Security Extensions
(DNSSEC) as soon as feasible without prejudice to any proposals that may be
made for long term signing processes" said Twomey.
"There will of course need to be consultations with the Internet technical
community as the testing and implementation plans are developed" he added.
The NTIA asked for input from the Internet community in October 2008 on the
issue of securing the top level of the domain name system (DNS) from
vulnerabilities that threaten the accuracy and integrity of the DNS data.
Vulnerabilities in the existing DNS have become easier to exploit to the
extent that malicious parties may be able to distribute false DNS
information, and to re-direct Internet users.
Details of the process are still being worked on but discussions between the
Department of Commerce and VeriSign and ICANN have identified that VeriSign
will manage and have operational responsibility for the Zone Signing Key in
the interim arrangement, and that ICANN will manage the Key Signing Key
process. ICANN will work closely with VeriSign regarding the operational and
cryptographic issues involved.
"This is very important for the global community of Internet users. We will
work closely with all participants on this crucial security initiative."
Twomey said.
For more information on DNSSEC deployment, please visit:
http://www.icann.org/en/announcements/dnssec-qaa-09oct08-en.htm.
http://www.stephanevangelder.fr/archives/245-Le-gouvernement-americain-veut-securiser-lInternet.html
Le
gouvernement américain veut sécuriser
l'Internet<http://www.stephanevangelder.fr/archives/245-Le-gouvernement-americain-veut-securiser-lInternet.html>
Thursday,
June 4. 2009
L'administration de Barack Obama va travailler avec Verisign et l'ICANN à
l'implémentation de DNSSEC. Bon, d'accord, dit comme ça, l'info peut
paraître un peu… comment dire… excitante. Mais en fait, c'est une info
primordiale pour tous ceux qui utilisent l'Internet. C'est à dire, vous qui
lisez ces lignes.
La technologie DNSSEC vise à sécuriser une faille majeure du système
Internet. Aujourd'hui, lorsque vous souhaitez vous connecter à un site web,
votre ordinateur utilise le DNS (Domain Name System) pour recevoir l'adresse
(adresse IP) du site en question et vous y emmener. Or votre ordi n'a aucun
moyen de vérifier l'authenticité d'une adresse IP. Donc si un pirate
parvient à intercepter votre demande, il peut vous fournir une fausse
adresse IP et donc vous envoyer vers un autre site. Et si ce dernier est
visuellement identique au vrai site, un site d'achat en ligne par exemple,
vous risquez d'inscrire vos coordonnées CB sur un site pirate sans même le
savoir ! L'enjeu est donc de taille.
DNSSEC vise à signer numériquement les réponses DNS. Le principe est
similaire à celui des emails signés, permettant d'être certain qu'un message
provient bien du bon expéditeur.
Mais compte tenu du nombre de noms de domaine en service aujourd'hui (183
millions), il est impossible de signer chaque nom. Pour mettre DNSSEC en
service, il faut donc signer chaque "étage" du DNS, en commençant par la
racine, pour ensuite faire chaque extension.
C'est sur la signature de la racine – première étape obligatoire pour
déployer DNSSEC et sécuriser l'Internet - que le gouvernement américain va
collaborer avec l'ICANN et Verisign. Le but : signer la racine avant la fin
2009.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090604/5ae5f97d/attachment.htm
More information about the AfrICANN
mailing list