DNSSEC Gets Validated With DLV

DNSSEC (DNS Security Extensions) is a technology that can make the Internet’s Domain Name System more secure, yet it’s also not trivial to implement for a variety of reasons. One potential solution to making DNSSEC deployable is something called DLV (DNSSEC Look-aside Validation) which is now getting a boost from a trio of vendors.

Network service providers, Internet Systems Consortium (ISC), Afilias and Neustar have banded together to support ISC’s DNSSEC Look-aside Validation (DLV) registry. The move could potentially help to accelerate DNSSEC adoption and make the Internet more secure for all users. DNSSEC provides digitally signed domain authentication and is a mechanism that could potentially prevent DNS cache poisoning attacks like the one reported by security researcher Dan Kaminksy in 2008.

“DLV is intended to fill gaps where a parent zone isn’t signed,” Michael Graff, DLV program manager at ISC told InternetNews.com. “For example, example.com cannot be usefully signed because .com itself isn’t signed. Once a ccTLD is signed and can accept delegations, ISC will recommend to any domain holder of that ccTLD work directly with the registry.”

Graff added that from a security perspective there is no difference in using DLV versus having a zone signed.

“DLV is standing in for a parent zone that isn’t signed. .com domains will find DLV useful, .se domains would not because .se is signed and accepting delegation at the registry level,” Graff said.

Ram Mohan Executive VP and CTO at Afilias explained that the DNS system is built like a tree with the root at the top, and each “authoritative zone” below it.

There are branches for each TLD like .org,.com, .info, and then leaves that stem off of that branch, representing each domain name registered. Each tree, branch and leaf are “authoritative” for themselves meaning .org can pass DNS information on all second level domains in .org. Redcross.org can pass DNS information for all records it owns under redcross.org such as mail.redcross.org, donate.redcross.org, www.redcross.org, etc.

Additional security with the DNS response

Mohan added that when requesting DNS information today, ISPs will query the root zone for the address information and then store it in their cache. All ISPs know where the root is and keep that as a known path to get correct DNS information.

“With DNSSEC, additional security information now needs to come with the DNS response,” Mohan said. “A requestor like an ISP will ask with a public key and needs to pair that with the private key maintained by the place they are looking to go, Afilias for .org, or redcross for redcross.org. Without the root being signed, it cannot provide a response back with the DNSSEC information that users will seek to get the ‘secure’ information for .org.”

Currently .org is in the process of signing for DNSSEC, but it’s a process that is not yet complete, the .com root is not yet signed either.

“ISC’s DLV is a look aside validation method that provides a safe way to lookup the validity of DNSSEC information since the root is not yet signed,” Mohan said. “Technically, it means that ISPs will need to store a list of Trust Anchors that they know that they can request secure (DNSSEC) information from. When the root is signed, ISPs won’t need to do this since the Root will pass along the information they need.”

Next page: Scalability

Page 2 of 2

Scalability

The DLV effort began at the ISC, three years ago with ISC being the primary DNS host. NeuStar and Afilias are now coming on board as secondary sources.

“Secondary in DNS terms means that they are also an authoritative source of the zones data but the master data is created on our servers and securely propagated to the secondaries,” ISC’s Graff said. “The DNS protocol will select the best nameserver randomly at first and then over time base up a dynamic table of response times. So secondary isn’t really for redundancy as much as it is about network diversity.”

Rodney Joffe, senior vice president and senior technologist at NeuStar, told InternetNews.com that DLV is now available in a more robust way than what the ISC alone was able to offer on its own three years ago.

“DLV had little traction back then because DNSSEC seemed long off,” Joffe said. “Now it’s much closer to reality, cache poisoning is a proven, real danger, so now there is a driver from the customer side.”

Afilias’ Mohan commented that historically the issues related to DNSSEC adoption have been chicken/egg. That is, the users did not want to spend the cost for overhauling their DNS operations to support DNSSEC if zones weren’t signed and actually sharing secure information.

“In the time between now and when the Root and all major TLDs are signed, organizations responsible for directing end users to Web sites (i.e.: ISPs) need an interim place to rely on for this information that is trusted and reliable,” Mohan said.

“ISC’s DLV is that place.”

News Around the Web