The DNSSEC initiative to embed security at the heart of the internet by preventing URL spoofing and other attacks has passed an important milestone.
The secure domain name server (DNS) protocol DNSSEC guarantees the authenticity of the mechanism that converts human-friendly internet addresses to the Internet Protocol numeric address system. DNSSEC — short for Domain Name System Security Extensions — uses digital signatures to assure name servers that the DNS data they receive has not been intercepted or tampered with.
– Roy Arends, Nominet
Today marks one of the most significant moments in the history of the internet. Yet, for most people, it will go by entirely unnoticed.
The organisation responsible for managing the assignment of IP addresses and domain names, Icann, on Thursday published the root zone trust anchor. This allows the operators of internet root servers to begin to issue certificates to verify who they are to other root operators. The publication marks the completion of the signing of the root zone, meaning that all root operators are now involved in the exchange of valid certificates.
"Today marks one of the most significant moments in the history of the internet. Yet, for most people, it will go by entirely unnoticed," said Roy Arends, head of research at UK internet registry Nominet, in a statement. "This technology change is an enabler for new technologies to be built and deployed to further enhance the security of the Domain Name System and ultimately ensure the internet remains a safer and trusted place for all."
The aim of the DNS security extensions is to hinder cybercriminals who use DNS cache poisoning to redirect internet users from legitimate websites to fraudulent equivalents. DNS cache poisoning involves replacing the numeric addresses of legitimate websites in domain name servers with the addresses of malicious sites.
DNSSEC was rolled out over all 13 internet root servers in May as a test bed, but the publication of the root zone trust anchor allows the system to start operating harmoniously. Ripe NCC, which is one of the five regional internet registries, said that the extensions can now start to be fully deployed across the internet.
"The power of DNSSEC is that the whole namespace can now be signed hierarchically. It's another piece in the puzzle, as verification can now be fully automated," Ripe chief scientist Daniel Karrenberg told ZDNet UK. "DNSSEC has become mainstream and easily deployable. This ramping up is really significant."
Read this
DNSSEC should prove toxic for cache-poisoners
When the DNSSEC protocol public key is deployed on 15 July, it will be Black Thursday for the criminals who redirect traffic to fraudulent websites, says Axel Pawlik
Karrenberg said that from Thursday, each top-level domain (TLD) nameserver will no longer have to be configured to recognise trusted key material, reducing the administrative burden on top-level domains. More top-level domains will be DNSSEC signed, said Karenberg, who expected that owners of banking domains will also start to use DNSSEC more.
In addition, the operation of DNSSEC in the root zone should encourage ISPs and the IT departments of large organisations to adopt it, according to Karrenberg.
"I would think that organisations and websites concerned about trust would be early adopters," said Karrenberg.
Ripe has been involved in the development of DNSSEC, a process that has been going on for decades. Karrenberg said that Ripe NCC and European ISPs had to push Icann to adopt DNSSEC.
"Ripe NCC and European ISPs have driven this [development process] for more than a decade, and we have been pressing Icann to sign the root," said Karrenberg. "Icann wants to enhance DNS, but they are necessarily a conservative bunch. DNS is such a key component of the internet they don't want to break it — Icann is naturally reticent."
Security company Symantec said that internet security will get better through DNSSEC use, but that improvements to security will not be rapid.
"DNSSEC is a step forwards, but we're really at the very early stages," said Orla Cox, security operations manager for Symantec Security Response. "This is one step down a long road."
Cox believes that criminals will try to circumvent the DNSSEC signing procedure and that spoofing certificates may still be possible.
Talkback
Tom,
Good story. It is good to see the rollout of DNSSEC progressing as it is a necessary piece to the Internet's overall security puzzle, especially in how it relates to the DNS. To further this rollout you are correct in that ISPs, registrars and enterprises need to begin stepping up to the plate.
With that said there is a tool that can be used by ISPs and Registrars to assist in helping their clients sign with DNSSEC. Even individual domain name owners may use this tool to sign their respective domain name(s) and hand to their registry. Enterprises may also use this tool as well for their DNSSEC signing purposes.
The tool I am referring to is Security-DNS and may be found at http://www.Security-DNS.net. The tool signs using the DNSSEC flavour desired, those being NSEC, NSEC3 or NSEC3 with OptOut.