It will take some time, but the Domain Name Service (DNS) is on its way to be secured around the world with DNSSEC (DNS Security Extensions). A new industry consortium called the DNSSEC Industry Coalition has been formed to expedite the implementation of DNSSEC and in so doing will help to secure the Internet itself for over a billion users.
DNS
“Collaboration of this kind is how DNSSEC was developed in the first place, and it’s how BIND’s DNSSEC feature development was sponsored,” Paul Vixie, a leading authority on DNS and the founder of Internet Systems Consortium (ISC) told InternetNews.com. “Now it’s the thing I suspect a lot of IT managers are waiting for so that they can relax a little bit and see DNSSEC as non-controversial, worthy of investment.”
DNSSEC provides a form of signed verification for DNS information, which is intended to assure DNS authenticity. Vixie’s BIND DNS server has had DNSSEC capabilities since 2004, though global deployment of DNSSEC has been in the single digits due to a number of implementation related challenges.
The new coalition will aim to identify and overcome the challenges and make DNSSEC deployment a global reality. One of the key players in the new DNSSEC coalition is VeriSign, the vendor that controls the Internet’s root domain servers for the .com and .net domains.
“We firmly believe that DNSSEC is a technology that requires implementation and it solves a specific problem that nothing else solves,” Pat Kane, vice president of naming services at VeriSign told InternetNews.com.
The specific problem in Kane’s view is man in the middle cache poisoning attacks like the one discovered by Kaminsky. The basic idea behind the attack is that DNS server responses can be tampered with to redirect end users to different sites, so a user could type in “Google.com” and be taken to a phishing
Though DNSSEC is something VeriSign is supportive of, Kane cautioned that it is not a solution for everything that ails the Internet.
“We also want to make sure that in people’s enthusiastic rush to get DNSSEC implemented, that people understand what it is and the problems that it specifically solves,” Kane said. “It’s doesn’t solve phishing or malware distribution.”
Next page: Still much to do
Page 2 of 2
To date, VeriSign has not implemented DNSSEC on the production root servers for .com or .net, though VeriSign does have a test bed that it is currently running. The .org top level domain doesn’t yet have DNSSEC deployed either, though the top level domain (TLD)
For VeriSign, Kane argued the real heavy lifting of implementing DNSSEC isn’t necessarily at the registry level where VeriSign sits but at the registrar level. Registrars are the organizations that actually deal with the domain owners.
“I’ve got 950 registrar customers that are going to have to carry and implement the heavy lifting,” Kane said. “The registrars will have to manage the key process, they’ll have to do the lion’s share of the work to make this thing real. As infrastructure players, we can sign a zone and ISPs can act on the response that comes from a zone. But for a registrant to take their domain name and make sure it’s DNSSEC enabled, they have to interact with their registrar.”
Kane also noted that there are some 280 top level domains currently and it’s important to make sure that the implementation for DNSSEC across them is similar, otherwise it will be very difficult for the registrars to implement.
“We’re partly trying to make sure we make it simple, straight forward and financially feasible for the registrars to easy to implement DNSSEC as it comes to each top level domain that launches,” Kane said.
For the ISC’s Vixe the real barriers to adoption for DNSSEC involve a number of items. For one he stresses the need to get the root zone signed including .com for DNSSEC to function as it was intended. Getting the tools together to improve the usability of DNSSEC’s tools and implementation is also key. That involves DNS servers like BIND as well as many other Internet ecosystem vendors.
“We need Apple, Red Hat, Microsoft, Ubuntu and all major wireless and wireline ISP’s to support DNSSEC validation in their recursive name servers and clients,” Vixie said. “And we need the DNS registrars and registries to fully support DNSSEC for all their domain holders, meaning that if a domain holder signs their zones they ought to be able to upload their public keys someplace.”
All told, implementing DNSSEC will involve many stakeholders and some cost. VeriSign’s Kane noted that there is encryption hardware and software to do key management that may be required as well as time and testing.
“When you’re talking about changing the ecosystem wide fabric of DNS you have to involve ISPs, application developers, registrars, registries and registrants and do plenty of testing,” Kane said. “DNS is a tool that people have come to treat like flipping a light switch. They expect it to be available and work. Testing will take the majority of the effort and time.”