NEW YORK —
Internet stakeholders need to move forward with securing the core
infrastructure by adopting DNSSEC, a security expert said at the International
Conference for Cyber-Security.
DNSSEC, or
Domain Name System Security Extension, does not solve "all the ills"
of the Internet, but it is a powerful tool that would improve the security of
the Internet, Richard Lamb, a DNS security program manager at the Internet
Corporation of Assigned Names and Numbers (ICANN), told attendees at the
International Conference for Cyber-Security in New York Jan. 11. DNSSEC also
adds a layer of security to the underlying infrastructure that can be extended
to other applications, Lamb said.
DNSSEC is
security protocol designed to add keys to the domain name hierarchy that defines
the Internet and digital signatures to secure the transmission of data between
Internet service providers and Domain Name System servers. Governments, major
Internet organizations such as the regional Internet registries and ICANN,
along with the security community have been supportive of deploying DNSSEC,
according to Lamb.
Once it is
widely deployed, DNSSEC can be "repurposed" to secure other
protocols, such as voice-over IP and Secure Sockets Layer, Lamb told attendees.
To understand
DNSSEC, Lamb walked attendees through DNS, the Internet's phonebook. A user
wants to go to the majorbank.com Website, but the user's computer doesn't know
which machine that is, because it's not a system on the local network. The
request is passed on to the ISP, which communicates with a DNS server to find
the IP address of majorbank.com. The DNS server sends the IP address back to
the ISP and the ISP can now direct all user requests to that server. Since the
ISP caches the data, it can route all requests to the correct machine without
having to talk to the DNS server again, Lamb noted.
The
"Internet did not originally have security designed into it," Lamb
said, noting there was a serious flaw in how the system worked.
If a malicious
DNS server sent the ISP a different IP address for majorbank.com before the
real DNS server, the ISP cached the malicious address and directed all requests
to the wrong machine. As a result, the DNS cache has been poisoned and users
are vulnerable to a wide range of attacks.
DNSSEC uses
cryptographic signatures to secure communications with the DNS server. Since
the address sent back from the malicious DNS server wouldn't have the correct
digital signature, the ISP would know it had been tampered with and drop the
response and wait for the correct one.
Once deployed,
the globally trusted key infrastructure could be used as an authentication
platform to secure other Internet protocols, such as the network, email, SSL,
VOIP, WiFi, and Web content, Lamb said. Certificate Authorities can use DNSSEC
to secure their certificates, Lamb suggested.
There are
"yet-to-be-discovered security innovations, enhancements and
synergies," Lamb said.
"The
technology is fine, but there have been some problems in deploying it," Lamb said,
noting that DNSSEC has been deployed on less than 1 percent of the Internet and
on only 82 out of 312 top-level-domains. TLDs with DNSSEC include .com, .net,
.org and .gov.
ICANN deployed
DNSSEC on the root in July 2010. It was the "biggest upgrade to the
Internet's core infrastructure in 20 years," Lamb said. ICANN manages the
root key, which is stored in secure key management facilities in Virginia and
California with several layers of security, strong cryptographic protection and
physical measures such as biometrics, according to Lamb.
DNSSEC needs
to be "widely deployed across domains," and that will happen once
registrars and ISPs get involved.
There are a
lot of bureaucracy, fear and trust issues about changing the guts of the
Internet and many excuses not to begin, according to Lamb. It is "hard to
change anything that hasn't had to change since 1983," Lamb said,
especially when it seems like the system is working fine.
Comcast just
finished rolling out DNSSEC on its network, automatically offering DNSSEC-validating
DNS servers to more than 17.8 million residential customers who use Comcast
Constant Guard from Xfinity, Jason Livingood, vice president of Internet
systems at Comcast, wrote on the ComcastVoices
blog Jan. 10. The Internet service provider has also cryptographically signed
all of the domains owned by the company, which number more than 5,000 domains,
said Livingood.
This
announcement makes Comcast the first large ISP in North America to have fully
implemented DNSSEC, according to Livingood.
Lamb praised
the recent Comcast news and noted that a "perfect storm" of recent
events has increased interest in DNSSEC and driven adoption. Government plans,
such as the National Strategy for Trusted Identities in Cyber-Space from the
White House and Sweden's e-ID program, have spotlighted the need for protecting
online identities. The recent breaches with various certificate authorities
highlighted the weaknesses in the Secure Sockets Layer protocol, and as
networks "become smarter," through the use of sensors for smart grids
and through ready access to online data, there has been an "impetus"
to improve DNS, Lamb said.
"DNS and
DNSSEC are part of all these ecosystems," said Lamb.
The third
annual International Conference on Cyber Security: A White Hat Summit is a
joint effort between the Federal Bureau of Investigation and Fordham
University. Leaders from law enforcement, industry and academia discuss cyber-crime
and real-life operations during the conference, which runs from Jan. 9 to Jan.
12 on the Fordham University campus in New York.
IT Security & Network Security News & Reviews News & Reviews 
