DNSSEC Gets Its Own Coalition

By Sean Michael Kerner | Dec 5, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/netsp/article.php/3789356/DNSSEC-Gets-Its-Own-Coalition.htm

It will take some time, but the Domain Name Service (DNS) is on its way to be secured around the world with DNSSEC (DNS Security Extensions). A new industry consortium called the DNSSEC Industry Coalition has been formed to expedite the implementation of DNSSEC and in so doing will help to secure the Internet itself for over a billion users.

DNS is critical to the functioning of the Internet, linking IP addresses with domain names. Thanks to security researcher Dan Kaminsky, awareness around the DNS and its shortcomings have been greatly elevated this year. DNSSEC is a key solution to ensuring that the DNS cache poisoning attack that Kaminksy first warned about cannot occur.

"Collaboration of this kind is how DNSSEC was developed in the first place, and it's how BIND's DNSSEC feature development was sponsored," Paul Vixie, a leading authority on DNS and the founder of Internet Systems Consortium (ISC) told InternetNews.com. "Now it's the thing I suspect a lot of IT managers are waiting for so that they can relax a little bit and see DNSSEC as non-controversial, worthy of investment."

DNSSEC provides a form of signed verification for DNS information, which is intended to assure DNS authenticity. Vixie's BIND DNS server has had DNSSEC capabilities since 2004, though global deployment of DNSSEC has been in the single digits due to a number of implementation related challenges.

The new coalition will aim to identify and overcome the challenges and make DNSSEC deployment a global reality. One of the key players in the new DNSSEC coalition is VeriSign, the vendor that controls the Internet's root domain servers for the .com and .net domains.

"We firmly believe that DNSSEC is a technology that requires implementation and it solves a specific problem that nothing else solves," Pat Kane, vice president of naming services at VeriSign told InternetNews.com.

The specific problem in Kane's view is man in the middle cache poisoning attacks like the one discovered by Kaminsky. The basic idea behind the attack is that DNS server responses can be tampered with to redirect end users to different sites, so a user could type in "Google.com" and be taken to a phishing site instead. With encryption signed DNS information from DNSSEC, a domain name would be validated to ensure authenticity.

Though DNSSEC is something VeriSign is supportive of, Kane cautioned that it is not a solution for everything that ails the Internet.

"We also want to make sure that in people's enthusiastic rush to get DNSSEC implemented, that people understand what it is and the problems that it specifically solves," Kane said. "It's doesn't solve phishing or malware distribution."

Next page: Still much to do

Article courtesy of InternetNews.com

Page 2 of 2

To date, VeriSign has not implemented DNSSEC on the production root servers for .com or .net, though VeriSign does have a test bed that it is currently running. The .org top level domain doesn't yet have DNSSEC deployed either, though the top level domain (TLD) is in the process of getting it deployed now with an initiative launched earlier this year. The DNSSEC Industry Coalition itself is actually being chaired by .org's CEO Alexa Raad.

For VeriSign, Kane argued the real heavy lifting of implementing DNSSEC isn't necessarily at the registry level where VeriSign sits but at the registrar level. Registrars are the organizations that actually deal with the domain owners.

"I've got 950 registrar customers that are going to have to carry and implement the heavy lifting," Kane said. "The registrars will have to manage the key process, they'll have to do the lion's share of the work to make this thing real. As infrastructure players, we can sign a zone and ISPs can act on the response that comes from a zone. But for a registrant to take their domain name and make sure it's DNSSEC enabled, they have to interact with their registrar."

Kane also noted that there are some 280 top level domains currently and it's important to make sure that the implementation for DNSSEC across them is similar, otherwise it will be very difficult for the registrars to implement.

"We're partly trying to make sure we make it simple, straight forward and financially feasible for the registrars to easy to implement DNSSEC as it comes to each top level domain that launches," Kane said.

For the ISC's Vixie the real barriers to adoption for DNSSEC involve a number of items. For one he stresses the need to get the root zone signed including .com for DNSSEC to function as it was intended. Getting the tools together to improve the usability of DNSSEC's tools and implementation is also key. That involves DNS servers like BIND as well as many other Internet ecosystem vendors.

"We need Apple, Red Hat, Microsoft, Ubuntu and all major wireless and wireline ISP's to support DNSSEC validation in their recursive name servers and clients," Vixie said. "And we need the DNS registrars and registries to fully support DNSSEC for all their domain holders, meaning that if a domain holder signs their zones they ought to be able to upload their public keys someplace."

All told, implementing DNSSEC will involve many stakeholders and some cost. VeriSign's Kane noted that there is encryption hardware and software to do key management that may be required as well as time and testing.

"When you're talking about changing the ecosystem wide fabric of DNS you have to involve ISPs, application developers, registrars, registries and registrants and do plenty of testing," Kane said. "DNS is a tool that people have come to treat like flipping a light switch. They expect it to be available and work. Testing will take the majority of the effort and time."

Article courtesy of InternetNews.com