DNSSEC is Here. Now What?
Now that the root zone of the Internet is secured, are we all secure now? And if not, what needs to be done?
A panel of experts, including Kaminsky, addressed the issue of DNS security and what's next at the Black Hat USA 2010 conference currently underway in Las Vegas.
"The root is signed. Does that mean Internet is safe?" Rob Beckstom, CEO of ICANN, asked the Black Hat 2010 audience. "No," he continued, "it means the Internet can now become safe."
Beckstrom noted that DNSSEC signing needs to propagate throughout all the top level domains in the Internet. Currently the .org top level domain is signed, but .com is not. VeriSign CTO Ken Silva, who was also on the panel, noted that the .com domain will be signed by March of 2011.
"There needs to be more development of applications that better leverage DNSSEC and Internet Service Providers (ISP) need to adopt and support name server capability in supporting DNSSEC," Beckstrom said. "We're just now moving to adoption phase."
DNSSEC alone may not solve all issues for DNS security, either. Silva noted that what needs to happen now is research and discussion into how to fortify the DNS protocol for the longer term.
"What will that protocol look like so it will be less susceptible to attack then it is today?" Silva asked.
In response to a question from InternetNews.com, Silva also explained why VeriSign's EV-SSL (Extended Validation) certificates don't solve the same problem as DNSSEC. With an EV-SSL certificate, the identity of the site owner is verified as part of the SSL certificate granting process. Back in 2008, Silva told InternetNews.com that he saw SSL as a possible way to help reduce the risk of the Kaminsky DNS flaw.
"EV-SSL is good technology, but it relies on users to make a decision to make sure they are visiting a secured site," Silva said. "DNSSEC takes the user out of the equation and the security happens in the infrastructure."
One of the other things that Silva noted is the need to improve DNSSEC tools.
"There are lots of tools out there and likely some better tools will come along," Silva said. "If you have time to use the command line tools that are available today, then use them, and if you don't want to go that route and you still want to deploy DNSSEC, you need to look at what managed offering might be out there."
Kaminsky responded that he is going to release new tools later today at Black Hat to help use DNSSEC.
"We're at the first wave of the DNSSEC revolution," Kaminsky said. "If you heard this stuff is hard -- it's going to get easier."