Is DNSSEC the Answer to Internet Security?
The technology to secure the DNS system has been around for four years, yet many servers dont use it.
Domain Name System, or DNS (define), administrators around the world are racing to patch their systems for a critical flaw that could leave millions at risk. Although the technology for a more secure DNS has been available for years, it has not yet been widely deployed.
DNSSEC (DNS Security Extensions) provides a form of signed verification for DNS information, which is intended to assure DNS authenticity.
"Certainly when it comes to DNS cache poisoning, DNSSEC is a very good solution," Cricket Liu, author of DNS and BIND Cookbook and a vice president at Infoblox, told InternetNews.com. "It is designed to address this problem. I agree that with a widely deployed DNSSEC infrastructure, cache poising would cease to be an issue."
Security researcher Dan Kaminksy has reported that a widespread design flaw in DNS could lead to cache poisoning. The attack would cause a corruption on a DNS server; an end user could be rerouted to an arbitrary site. For example, a user could type in Google.com, but end up at a location of the attacker's choosing.
DNSSEC technology has been in development since 1997 and has been implemented for a few years on the open source ISC BIND server.
Yet though the technology has been available for years, according to a 2007 survey from Infoblox, less than 1 percent of all DNS servers actually use it.
"DNSSEC is still only sporadically implemented but it is getting better," Liu said. "We have see adoption at the high levels of the namespace. For example Sweden (.se) is signed."
Liu argued that moving to DNSSEC is a big deal as it requires DNS administrators to sign all of their DNS zones and setup nameservers to verify signed data.
"The amount of effort that has to go into zones that are signed is higher than unsigned data," Liu explained. "These days the average DNS administrator has a lot of other things to do," he said. "A lot of these people are not comfortable with all the aspects of traditional DNS much less DNSSEC."
Beyond the people aspect of deploying DNSSEC, some technology hurdles need to be addressed, according to Liu.
"If you're in a part of the namespace where your parent zone isn't signed, then to let people verify data within your zone that is signed you have to give them your public key, which is kind of onerous," Liu explained.
That said for users whose top-level domain (TLD) name is signed like Sweden (.se), deploying DNSSEC is easier since the parent zone is signed. If the .com domain space was similarly signed, DNSSEC adoption could well be significantly accelerated.
"If VeriSign signed .com and .net also implemented a system for signing public keys of their child zones, then that would really speed adoption," Liu explained. "By inserting one or two public keys into nameservers' configuration, you could by transitivity verify signed data for anything that ended in .com or .net potentially -- and that's a lot of the namespace."