RealTime IT News

DNS Security Getting Easier?

DNS , the critical technology that connects IP addresses to domains, is not secure by default. It's an issue that the IT industry is trying to solve with DNSSEC – DNS Security extensions that provide digitally signed and encrypted domain authentication.

The move towards DNSSEC has been going on for the last several years though calls for its adoption started to accelerate in light of the Kaminksy DNS flaw which was uncovered in 2008. Kaminsky himself recently called for more aggressive adoption of DNSSEC, though it's a complex process. Now a trio of new initiatives are being rolled out that could ultimately help to expedite DNSSEC deployments. Vendors including Affilias and the ISC (Internet System Consortium) are rolling out new deployment methods and the DNSSEC Industry Coalition is ramping up with a new registrar review program.

For the ISC, a new Web-based interface for its DNSSEC Look-aside Validation (DLV) registry is a key step to accelerating DNSSEC adoption.

"DNSSEC can't be universally deployed yet because the root and .COM zones aren't signed yet. .COM might be signed in 2011, but we have no firm idea of when or if the root zone will ever be signed," Michael Graff, Project Leader for DLV at ISC told InternetNews.com. "DLV is a system that lets cooperating domain holders and server operators deploy DNSSEC in spite of the lack of signing in the root and .COM zones."

VeriSign, the company that manages the root DNS zones has previously told InternetNews.com that its working on a test bed now to get the root zone signed.

As far as DLV goes, Graff explained that by definition it's a workaround solution.

"DLV is used when a trusted path from the root to a zone does not exist, hence the 'LV' for look-aside validation," Graff said. "It supplies the necessary data for a DNS resolver to authenticate DNS keys for a zone when its parent does not have the ability to."

The Trusted Anchor Repository alternative

Another option that has been mentioned by some, including Kaminsky, as a solution for the current lack of root zone DNS signing, is something called a Trusted Anchor Repository (TAR). In the TAR scenario trust is distributed across multiple points. Graff noted that the TAR approach is different than DLV.

"DLV is entirely real-time -- domain owners can give us new keys any time, and server operators will discover those keys instantly," Graff said. "DLV can handle a lot more signed domains than any TAR approach."

Graff explained that TARs are published by the owners of the specific domain zones and just like there are many owners of zones, there will be many TARs.

"However, knowing the key is not the same as trusting the key; to really provide security, each of these TARs must be verified before being used," Graff claimed. "ISC's DLV removes the need for this by importing the TARs into DLV."

Next page: 1 click DNSSEC?