DNS Security Getting Easier?

DNS , the critical technology that connects IP addresses to domains, is not secure by default. It’s an issue that the IT industry is trying to solve with DNSSEC – DNS Security extensions that provide digitally signed and encrypted domain authentication.

The move towards DNSSEC has been going on for the last several years though calls for its adoption started to accelerate in light of the Kaminksy DNS flaw which was uncovered in 2008. Kaminsky himself recently called for more aggressive adoption of DNSSEC, though it’s a complex process.

Now a trio of new initiatives are being rolled out that could ultimately help to expedite DNSSEC deployments. Vendors including Affilias and the ISC (Internet System Consortium) are rolling out new deployment methods and the DNSSEC Industry Coalition is ramping up with a new registrar review program.

For the ISC, a new Web-based interface for its DNSSEC Look-aside Validation (DLV) registry is a key step to accelerating DNSSEC adoption.

“DNSSEC can’t be universally deployed yet because the root and .COM zones aren’t signed yet. .COM might be signed in 2011, but we have no firm idea of when or if the root zone will ever be signed,” Michael Graff, Project Leader for DLV at ISC told InternetNews.com. “DLV is a system that lets cooperating domain holders and server operators deploy DNSSEC in spite of the lack of signing in the root and .COM zones.”

VeriSign, the company that manages the root DNS zones has previously told InternetNews.com that its working on a test bed now to get the root zone signed.

As far as DLV goes, Graff explained that by definition it’s a workaround solution.

“DLV is used when a trusted path from the root to a zone does not exist, hence the ‘LV’ for look-aside validation,” Graff said. “It supplies the necessary data for a DNS resolver to authenticate DNS keys for a zone when its parent does not have the ability to.”

The Trusted Anchor Repository alternative

Another option that has been mentioned by some, including Kaminsky, as a solution for the current lack of root zone DNS signing, is something called a Trusted Anchor Repository (TAR). In the TAR scenario trust is distributed across multiple points. Graff noted that the TAR approach is different than DLV.

“DLV is entirely real-time — domain owners can give us new keys any time, and server operators will discover those keys instantly,” Graff said. “DLV can handle a lot more signed domains than any TAR approach.”

Graff explained that TARs are published by the owners of the specific domain zones and just like there are many owners of zones, there will be many TARs.

“However, knowing the key is not the same as trusting the key; to really provide security, each of these TARs must be verified before being used,” Graff claimed. “ISC’s DLV removes the need for this by importing the TARs into DLV.”

Next page: 1 click DNSSEC?

Page 2 of 2

1 click DNSSEC?

Internet infrastructure vendor Afilias is also getting into the DNSSEC business with its one click DNSSEC service that it claims will help speed adoption.

“We think this is the real missing link for adoption,” Afilias spokesperson Heather Read told InternetNews.com. “The major impediments (to DNSSEC) have been the complexity and costs for deployment. It is simply not most peoples core business to buy and implement new hardware and software for this plus train and maintain staff to manage keys. We solve this by giving customers an interface to manage this with just one click.”

ISC’s Graff doesn’t see the Afilias effort as being the same thing as what DLV is trying to achieve. Graff argued that Afilias has a system for signing their customers’ domains, but after they sign those domains they still have to figure out how to publish the keys, and without a signed root or .COM, that’s hard to do.

“Affilias’ one-click DNS signs a zone with DNSSEC. However, if it is example.com, since .com is not signed (nor is the root), there is no easy trusted path to that signed zone,” Graff said. “If the zone’s public key were added to DLV, however, we would then be able to provide it to others who can use it to verify the data in example.com.”

DNSSEC Coaltion Expands

Another effort moving forward is the DNSSEC Industry Coalition which aims to bring together all the various player in the DNS ecosystem. The Coalition formally started up in December of 2008 and is now adding a new Registrar Review team to help expedite DNSSEC adoption.

“A large portion of our work is aimed at equipping registrars with tools and documentation for deploying DNSSEC,” Alexa Raad CEO of .ORG told InternetNews.com.

“We want the feedback early in the process from our registrars well before we plan to deliver the tools and documentation. This brings in important input from the registrars during the development stage which will result in delivering workable, practical tools and documentation.”

Raad added that one of the areas of focus is illustrating how domain name transfers will work within DNSSEC.

The .ORG registry which Raad leads, is helping to spearhead the DNSSEC Industry Coalition and is also pushing forward on adopting DNSSEC across the .ORG top level domain itself as well.

So far that effort appears to be moving in the right direction.

“We are on track for signing the .ORG Zone in the first half of 2009,” Raad said.

News Around the Web