Industry group hopes to make DNSSEC "non-controversial [and] worthy of investment."
It will take some time, but the Domain Name Service (DNS) is on its way to be secured
around the world with DNSSEC (DNS Security Extensions). A new industry consortium called
the DNSSEC Industry Coalition has been formed to expedite the implementation of DNSSEC
and in so doing will help to secure the Internet itself for over a billion users.
DNS is critical to the functioning of the Internet, linking IP addresses with domain
names. Thanks to security researcher
Dan Kaminsky, awareness around the DNS and its shortcomings have been greatly
elevated this year. DNSSEC is a key solution to ensuring that the DNS cache poisoning
attack that Kaminksy first warned about cannot occur.
"Collaboration of this kind is how DNSSEC was developed in the first place, and it's
how BIND's DNSSEC feature development was sponsored," Paul Vixie, a leading authority on
DNS and the founder of Internet Systems Consortium (ISC) told InternetNews.com.
"Now it's the thing I suspect a lot of IT managers are waiting for so that they can relax
a little bit and see DNSSEC as non-controversial, worthy of investment."
DNSSEC provides a form of signed verification for DNS information, which is intended
to assure DNS authenticity. Vixie's BIND DNS server has had DNSSEC capabilities
since 2004, though global deployment of DNSSEC has been in the
single digits due to a number of implementation related challenges.
The new coalition will aim to identify and overcome the challenges and make DNSSEC
deployment a global reality. One of the key players in the new DNSSEC coalition is
VeriSign, the vendor that controls the Internet's root domain servers for the .com and
"We firmly believe that DNSSEC is a technology that requires implementation and it
solves a specific problem that nothing else solves," Pat Kane, vice president of naming
services at VeriSign told InternetNews.com.
The specific problem in Kane's view is man in the middle cache poisoning attacks like
the one discovered by Kaminsky. The basic idea behind the attack is that DNS server
responses can be tampered with to redirect end users to different sites, so a user could
type in "Google.com" and be taken to a
phishing site instead. With encryption signed DNS information from DNSSEC, a domain
name would be validated to ensure authenticity.
Though DNSSEC is something VeriSign is supportive of, Kane cautioned that it is not a
solution for everything that ails the Internet.
"We also want to make sure that in people's enthusiastic rush to get DNSSEC
implemented, that people understand what it is and the problems that it specifically
solves," Kane said. "It's doesn't solve phishing or malware distribution."
Next page: Still much to do
Article courtesy of InternetNews.com
Page 2 of 2
To date, VeriSign has not implemented DNSSEC on the production root servers for .com
or .net, though VeriSign does have a test bed that it is currently running. The .org top
level domain doesn't yet have DNSSEC deployed either, though the top level domain
(TLD) is in the
process of getting it deployed now with an initiative launched earlier this year. The
DNSSEC Industry Coalition itself is actually being chaired by .org's CEO Alexa Raad.
For VeriSign, Kane argued the real heavy lifting of implementing DNSSEC isn't
necessarily at the registry level where VeriSign sits but at the registrar level.
Registrars are the organizations that actually deal with the domain owners.
"I've got 950 registrar customers that are going to have to carry and implement the
heavy lifting," Kane said. "The registrars will have to manage the key process, they'll
have to do the lion's share of the work to make this thing real. As infrastructure
players, we can sign a zone and ISPs can act on the response that comes from a zone. But
for a registrant to take their domain name and make sure it's DNSSEC enabled, they have
to interact with their registrar."
Kane also noted that there are some 280 top level domains currently and it's important
to make sure that the implementation for DNSSEC across them is similar, otherwise it will
be very difficult for the registrars to implement.
"We're partly trying to make sure we make it simple, straight forward and financially
feasible for the registrars to easy to implement DNSSEC as it comes to each top level
domain that launches," Kane said.
For the ISC's Vixie the real barriers to adoption for DNSSEC involve a number of items.
For one he stresses the need to get the root zone signed including .com for DNSSEC to
function as it was intended. Getting the tools together to improve the usability of
DNSSEC's tools and implementation is also key. That involves DNS servers like BIND as
well as many other Internet ecosystem vendors.
"We need Apple, Red Hat, Microsoft, Ubuntu and all major wireless and wireline ISP's
to support DNSSEC validation in their recursive name servers and clients," Vixie said.
"And we need the DNS registrars and registries to fully support DNSSEC for all their
domain holders, meaning that if a domain holder signs their zones they ought to be able
to upload their public keys someplace."
All told, implementing DNSSEC will involve many stakeholders and some cost. VeriSign's
Kane noted that there is encryption hardware and software to do key management that may
be required as well as time and testing.
"When you're talking about changing the ecosystem wide fabric of DNS you have to
involve ISPs, application developers, registrars, registries and registrants and do
plenty of testing," Kane said. "DNS is a tool that people have come to treat like
flipping a light switch. They expect it to be available and work. Testing will take the
majority of the effort and time."
Article courtesy of InternetNews.com