Is DNSSEC the Answer to Internet Security?
Domain Name System, or DNS (define), administrators around the world are racing to patch their systems for a critical flaw that could leave millions at risk. Although the technology for a more secure DNS has been available for years, it has not yet been widely deployed.
DNSSEC (DNS Security Extensions) provides a form of signed verification for DNS information, which is intended to assure DNS authenticity.
"Certainly when it comes to DNS cache poisoning, DNSSEC is a very good solution," Cricket Liu, author of DNS and BIND Cookbook and a vice president at Infoblox, told InternetNews.com. "It is designed to address this problem. I agree that with a widely deployed DNSSEC infrastructure, cache poising would cease to be an issue."
Security researcher Dan Kaminksy has reported that a widespread design flaw in DNS could lead to cache poisoning. The attack would cause a corruption on a DNS server; an end user could be rerouted to an arbitrary site. For example, a user could type in Google.com, but end up at a location of the attacker's choosing.
DNSSEC technology has been in development since 1997 and has been implemented for a few years on the open source ISC BIND server.
Yet though the technology has been available for years, according to a 2007 survey from Infoblox, less than 1 percent of all DNS servers actually use it.
"DNSSEC is still only sporadically implemented but it is getting better," Liu said. "We have see adoption at the high levels of the namespace. For example Sweden (.se) is signed."
Liu argued that moving to DNSSEC is a big deal as it requires DNS administrators to sign all of their DNS zones and setup nameservers to verify signed data.
"The amount of effort that has to go into zones that are signed is higher than unsigned data," Liu explained. "These days the average DNS administrator has a lot of other things to do," he said. "A lot of these people are not comfortable with all the aspects of traditional DNS much less DNSSEC."
Beyond the people aspect of deploying DNSSEC, some technology hurdles need to be addressed, according to Liu.
"If you're in a part of the namespace where your parent zone isn't signed, then to let people verify data within your zone that is signed you have to give them your public key, which is kind of onerous," Liu explained.
That said for users whose top-level domain (TLD) name is signed like Sweden (.se), deploying DNSSEC is easier since the parent zone is signed. If the .com domain space was similarly signed, DNSSEC adoption could well be significantly accelerated.
"If VeriSign signed .com and .net also implemented a system for signing public keys of their child zones, then that would really speed adoption," Liu explained. "By inserting one or two public keys into nameservers' configuration, you could by transitivity verify signed data for anything that ended in .com or .net potentially -- and that's a lot of the namespace."
VeriSign manages the .com and .net registries, and though it hasn't done a wide DNSSEC deployment, according to VeriSign CTO Ken Silva, they have been running a DNSSEC testbed for the past six months.
"DNSSEC is not just something you flip on," Silva explained to InternetNews.com. "It's a whole ecosystem in which everyone at every level has to participate. VeriSign has always been a part of the DNSSEC research, and we've always felt there was a use for it."
Though Silva sees the need for DNSSEC, he's also realistic about the daunting challenge that full implementation represents.
"What we're looking at now is 1.3 billion users that would have to adopt DNSSEC for it to be truly successful," Silva said. "We're working with the community on the best way to roll it out."
Silva went on to note that many intricacies around DNSSEC have delayed its deployments worldwide. For one, DNSSEC involved additional load on the DNS infrastructure.
In addition Silva argued that pieces of network hardware are throughout the Internet and in enterprises not prepared to deal with the difference in the DNS protocol.
"For instance, there are firewalls that look for a specific packet size or range of size for a DNS packet, and if it receives something out of range it will reject it," Silva said.
Barry Greene, director of the Security Incident Response Team (SIRT) for Juniper Networks (NASDAQ: JNPR), commented in an e-mail to InternetNews.com that Juniper's customers previously lacked demand for DNSSEC.
VeriSign's Silva, however, has another idea for helping Internet users ensure the domain they visit is what they think it is, namely digital SSL (define) certificates.
"If you're going to go to a site and provide personal information or spend money, you really need to rely on digital signatures of the Web sites themselves," Silva argued. "Until every domain and every subdomain and every enterprise uses DNSSEC and that could take a very long time, the option that you have today is to rely on enterprises that use digital certificates."
VeriSign is the world leader in SSL certificates. Silva admitted that promoting SSL certificates is a little self serving for VeriSign though he noted that other vendors do sell certificates as well.
Silva went a step further to add that even in a world with DNSSEC fully deployed, SSL certificates will still be needed.
"The only thing that DNSSEC really does is validate that that DNS answer is valid," Silva said. "It doesn't qualify that the site you got to is truly authentic."
Article courtesy of InternetNews.com