Yesterday, the DNS root zone was signed. This is an important step in the deployment of DNSSEC, the mechanism that will finally secure the DNS against manipulation by malicious third parties.

The Domain Name System is a hierarchical system, where many nameserver operators are in charge of a limited set of information pertaining to a particular place in the hierarchy. To find the address information associated with any given name, it's necessary to traverse the hierarchy. For instance, looking up www.arstechnica.com means talking to a nameserver that knows about the "root," then going to one with information about .com and finally one that knows about arstechnica.com. DNSSEC requires signatures at each of these steps. Several top level domains (TLDs), such as .org, .se and .nl, have already signed their "zone," and can provide a secure pointer to domain names at the next level in the DNS hierarchy.

There has been no secure delegation towards the already signed TLDs because the root wasn't signed. To get around this limitation, people experimenting with DNSSEC used a collection of trust anchors, basically one for each TLD. With the root signed and secure delegations to the signed TLD zones included in the root zone, only a single trust anchor is required: one that explicitly trusts the root.

As of yesterday, this single trust anchor is available from ICANN, which can be used to validate the signed root zone. There aren't very many secure delegations in place, so nameservers set up to perform DNSSEC validation still use "look aside validation." To avoid problems, ICANN has frozen the root zone for a few days, and won't be accepting changes to the root zone until Tuesday. When the root unfreezes, there is no reason why secure pointers to signed TLDs can't be added quickly.

DNSSEC has the tendency to be very abstract. But a Firefox extension shows the utility of the mechanism. With the DNSSEC Validator extension installed, Firefox will show a red key in the URL bar if the DNSSEC validation fails, orange if the configured nameserver won't perform DNSSEC validation, and green if DNSSEC validation is successful. Since—with few exceptions—ISP nameservers don't perform DNSSEC validation, you will see many orange keys for DNSSEC-enabled domains such as www.isc.org, www.ietf75.se, or www.nic.cat. (Only the latter validates without using look-aside validation.) However, CZ.NIC and OARC make public validating nameservers available—prepopulated in the extension but not yet enabled—so try with one of these.

Of course DNSSEC will only truly shine once it's widely deployed in browsers, other applications, directly in operating systems, ISP nameservers, and in the nameservers of domain name owners. It would be even better if operating systems would do their own DNSSEC validation rather than trust the local caching DNS server in this regard.