RealTime IT News

DNSSEC Gets Validated With DLV

DNSSEC (DNS Security Extensions) is a technology that can make the Internet's Domain Name System more secure, yet it's also not trivial to implement for a variety of reasons. One potential solution to making DNSSEC deployable is something called DLV (DNSSEC Look-aside Validation) which is now getting a boost from a trio of vendors.

Network service providers, Internet Systems Consortium (ISC), Afilias and Neustar have banded together to support ISC’s DNSSEC Look-aside Validation (DLV) registry. The move could potentially help to accelerate DNSSEC adoption and make the Internet more secure for all users. DNSSEC provides digitally signed domain authentication and is a mechanism that could potentially prevent DNS cache poisoning attacks like the one reported by security researcher Dan Kaminksy in 2008.

"DLV is intended to fill gaps where a parent zone isn't signed," Michael Graff, DLV program manager at ISC told InternetNews.com. "For example, example.com cannot be usefully signed because .com itself isn't signed. Once a ccTLD is signed and can accept delegations, ISC will recommend to any domain holder of that ccTLD work directly with the registry."

Graff added that from a security perspective there is no difference in using DLV versus having a zone signed.

"DLV is standing in for a parent zone that isn't signed. .com domains will find DLV useful, .se domains would not because .se is signed and accepting delegation at the registry level," Graff said.

Ram Mohan Executive VP and CTO at Afilias explained that the DNS system is built like a tree with the root at the top, and each "authoritative zone" below it.

There are branches for each TLD like .org,.com, .info, and then leaves that stem off of that branch, representing each domain name registered. Each tree, branch and leaf are "authoritative" for themselves meaning .org can pass DNS information on all second level domains in .org. Redcross.org can pass DNS information for all records it owns under redcross.org such as mail.redcross.org, donate.redcross.org, www.redcross.org, etc.

Additional security with the DNS response

Mohan added that when requesting DNS information today, ISPs will query the root zone for the address information and then store it in their cache. All ISPs know where the root is and keep that as a known path to get correct DNS information.

"With DNSSEC, additional security information now needs to come with the DNS response," Mohan said. "A requestor like an ISP will ask with a public key and needs to pair that with the private key maintained by the place they are looking to go, Afilias for .org, or redcross for redcross.org. Without the root being signed, it cannot provide a response back with the DNSSEC information that users will seek to get the 'secure' information for .org."

Currently .org is in the process of signing for DNSSEC, but it's a process that is not yet complete, the .com root is not yet signed either.

"ISC's DLV is a look aside validation method that provides a safe way to lookup the validity of DNSSEC information since the root is not yet signed," Mohan said. "Technically, it means that ISPs will need to store a list of Trust Anchors that they know that they can request secure (DNSSEC) information from. When the root is signed, ISPs won't need to do this since the Root will pass along the information they need."

Next page: Scalability