The march to secure the Internet’s core DNS
Since at least the summer of 2008, when security researcher Dan Kaminksy disclosed a critical vulnerability in DNS, the global Internet domain routing ecosystem has been moving to implement DNSSEC, which provides is a digitally signed mechanism to authenticate the integrity of DNS information, secure the system and prevent attacks.
Among the first generic Top Level Domains (gTLD) to first announce its plan to adopt DNSSEC was .Org back in September 2008. This week, .Org announced that its rollout of DNSSEC is now on track for deployment in June 2010. On a global basis, ICANN (Internet Corporation for Assigned Names and Numbers) reported that DNSSEC adoption in the root zone of the Internet is also going according to plan.
“We are extremely pleased to witness the gaining momentum in DNSSEC development and adoption, “.Org CEO Alexa Raad told InternetNews.com. “All actors within the chain of trust — registrars, ISPs and application providers — now have a known lead time for development, and zero uncertainty about the future of DNSSEC.”
At the time of the original Kaminsky disclosure on DNS, some questioned whether DNSSEC was the appropriate remedy. That’s no longer the case, as all of the major gTLDs, as well as multiple country code TLDs, domain registrars and ISPs are moving to implement the solution.
But that effort has come with costs. In June 2009, Ram Mohan, CTO of Afilias, the technology provider for the .Org registry, told InternetNews that the .Org DNS effort required a multi-million dollar investment.
Raad said that service providers can expect to see an uptick in TCP query traffic for the DNSSEC signed zones they serve once they have made the transition.
“We have seen an increase of between 1.5 percent and 2.5 percent,” Raad said. “Some country code TLDs have seen increases of less than 1 percent. This is something we will be watching as deployment of signed domains increases.”
She added that ISPs will want to test their infrastructure for complete and up-to-date support for UDP
While .Org is moving forward with its DNSSEC initiatives, ICANN is also reporting progress on ensuring that the root zone of the Internet is secured. During a session on DNSSEC at an ICANN meeting in Nairobi, Kenya, this week, officials offered an update how deployment is going in the root zone of the Internet DNS. Currently the root zone is scheduled to be fully signed for DNSSEC by July 1, 2010.
“This is remarkable development,” Steve Crocker, co-chair of ICANN’s DNSSEC deployment initiative and chair of the Security and Stability Advisory Committee, said at the Nairobi meeting. “We have one of the most significant parts of the DNSSEC process and, indeed, one of the most significant changes in the Internet under way, and it’s proceeding quietly and nicely enough to suggest that the impact will be modest, and we’re on our way for a clean launch in July.”