Establishing Digital Trust: Don't Sacrifice Security for Convenience
In the summer of 2008, Dan Kaminsky demonstrated the inherent vulnerability in unsecured DNS. Since then, Top Level Domain (TLD) registries and registrars have been racing to secure their infrastructure with DNSSEC (DNS Security Extensions) which provide a degree of cryptographic authenticity to DNS information.
Getting DNSSEC setup on a domain is no easy task, which where the new VeriSign DNSSEC Signing Service comes into play. The new VeriSign service will providing the initial signing of a second-level domain name as well as the management of cryptographic keys. With the DNSSEC Signing Service, VeriSign is aiming to make it easier for registrars to enable DNSSEC.
"DNSSEC introduces new parameters to DNS that were not previously part of the provisioning and management process," Pat Kane, Assistant General Manager of Naming Services at VeriSign, told InternetNews.com. "DNSSEC introduces the concept of cryptographically signing domain names and the concept of expiring signatures."
Kane added that DNSSEC also adds a signing step to the process of updating a DNS zone. The signing process involves constant, ongoing maintenance including periodic resigning to refresh signatures that must be performed or validation failures will result.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"In addition, DNSSEC also introduces key management, which is completely new to DNS," Kane said. "The keys must be kept safe, since the security of DNSSEC relies on the security of the cryptographic keys. The keys need to be handled properly and this is a skill set not everyone has."
Kane noted that the VeriSign DNSSEC Signing Service automates the process of key signing and updating. The technology behind the DNSSEC Signing Service is based on a new hardware and software solution developed by VeriSign's engineering team. VeriSign was able to take advantage of other DNSSEC code that they have also developed internally, such as the software that signs the root zone and .com and .net TLDs.
"The service also has a hardware component: every zone's cryptographic key material is stored in a Hardware Security Module (HSM), and all signing operations are performed on the HSM as well," Kane said. "With this design, the most critical information (cryptographic keys) and operations (digital signing) are performed in secure hardware, making it effectively impossible for customer keys to be compromised."
The software used in the DNSSEC Signing Service is similar but not identical to that used to sign .com and .net. Kane noted that each system is different because of different requirements.
"For example, the .com/.net zone signing software is tightly coupled with the .com/.net registry system," Kane said. "It is capable of signing at an extremely high rate of speed and in an incremental fashion."
Kane noted that in contrast the DNSSEC Signing Service does not require the extreme speed required by the .com/.net system. However, it does need to store hundreds of thousands of zone keys.
The root zone of the Internet was signed for DNSSEC in July and VeriSign plans on having .com signed in the first quarter of 2011. Other players in the DNS space have also been aggressively rolling out DNSSEC with over 50 TLDs now signed for DNSSEC. Affilias has enabled 12 of the TLDs it manages for DNSSEC, with plans for more in the coming year.