New Efforts Promote DNS Security

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

DNS (define), the critical technology that connects IP addresses to domains, is not secure by default. It's an issue that the IT industry is trying to solve with DNSSEC – DNS Security extensions that provide digitally signed and encrypted domain authentication.

The move towards DNSSEC has been going on for the last several years though calls for its adoption started to accelerate in light of the Kaminksy DNS flaw which was uncovered in 2008. Kaminsky himself recently called for more aggressive adoption of DNSSEC, though it's a complex process.Now a trio of new initiatives are being rolled out that could ultimately help to expedite DNSSEC deployments. Vendors including Affilias and the ISC (Internet System Consortium) are rolling out new deployment methods and the DNSSEC Industry Coalition is ramping up with a new registrar review program.

For the ISC, a new Web-based interface for its DNSSEC Look-aside Validation (DLV) registry is a key step to accelerating DNSSEC adoption.

"DNSSEC can't be universally deployed yet because the root and .COM zones aren't signed yet. .COM might be signed in 2011, but we have no firm idea of when or if the root zone will ever be signed," Michael Graff, Project Leader for DLV at ISC told InternetNews.com. "DLV is a system that lets cooperating domain holders and server operators deploy DNSSEC in spite of the lack of signing in the root and .COM zones."

VeriSign, the company that manages the root DNS zones has previously told InternetNews.com that its working on a test bed now to get the root zone signed.

As far as DLV goes, Graff explained that by definition it's a workaround solution.

"DLV is used when a trusted path from the root to a zone does not exist, hence the 'LV' for look-aside validation," Graff said. "It supplies the necessary data for a DNS resolver to authenticate DNS keys for a zone when its parent does not have the ability to."

The Trusted Anchor Repository alternative

Another option that has been mentioned by some, including Kaminsky, as a solution for the current lack of root zone DNS signing, is something called a Trusted Anchor Repository (TAR). In the TAR scenario trust is distributed across multiple points. Graff noted that the TAR approach is different than DLV.

This article was first published on InternetNews.com.