Adoption of DNSSEC has been slow, but ICANN is pushing for it as a way to improve Internet security.
The Internet Corporation for Assigned Names and Numbers is joining
those calling for DNSSEC as a security blanket for the Internet.
In remarks June 21 during ICANN's 38th international meeting in Brussels,
ICANN CEO Rod Beckstrom contended that
DNSSEC (Domain Name System Security Extensions) needs to play a key role in
protecting the Web.
"The Internet and the DNS are central to global communications,
industry, communities and the world economy," Beckstrom said. "ICANN
consults widely within the community on cyber-security issues that relate to
the DNS [Domain Name System]. We have moved ahead vigorously on a number of key
security initiatives, including the DNSSEC root signing now taking place."
adoption has been slow
in the past, but is now gaining steam. According to
Afilias CTO Ram Mohan, a number of large
top-level domains have committed to deployment, and the root and all the major gTLDs
(generic top-level domains) will be signed by the middle of 2011.
"DNSSEC is meant to solve the man-in-the-middle attack where a third
party can get between you and the location you are trying to go to via the
DNS," Mohan said in an interview with eWEEK. "DNSSEC introduces
digital signatures to the DNS infrastructure and can provide users with
effective verification that their applications, such as Web or e-mail, are
using the correct addresses for servers they want to reach."
Mohan continued, "When DNSSEC is deployed, it will ensure that you
cannot be spoofed or hijacked once you go to a particular destination. ... Websites,
applications, e-mail-everything that is on the Internet depends upon the DNS.
DNSSEC secures the infrastructure layer of the Internet in a way that no other
technology can do."
The primary reason DNSSEC adoption has not advanced until recently is that
it was not deemed important by the Internet community at large, Mohan said. That
changed in 2008 when security researcher Dan Kaminsky uncovered a serious
protocol vulnerability in the DNS.
the Kaminsky bug
happened, DNSSEC deployment was going slowly," Mohan
said. "There was a lack of urgency and no reason to move forward with
deployment. Kaminsky demonstrated just how huge a hole the DNS had and how
DNSSEC was the only way to plug the hole.
"Network Service providers, or ISPs, are probably the most critical key
to unlocking DNSSEC. Their servers respond to most of the DNS queries around
the globe and pass those responses to end users ... Registrars and Web hosting
providers are a critical piece because they are the gatekeeper to the end
domain name owner. They manage the critical piece of taking the keys and the
signature and sending it up to the registry and root system. They have to
deliver the data both upstream and downstream."
Network hardware manufacturers are the final piece of the puzzle, Mohan
said, and existing routers have to be upgraded.
"A little-known fact is that the DNS is not run on PCs, but routers.
Just like you wouldn't run Word 2007 on a 486 computer, you wouldn't run DNSSEC
on a 10-year-old router," he said. "But in actuality, home users
typically rely on much older routers that may not be able to process DNSSEC
requests properly. Therefore router manufacturers or the ISPs that provide home
users with their hardware should be planning hardware upgrades to ensure [that]
the routers their customers have can handle DNSSEC and the next generation of
our DNS system."
Research released in November 2009 by Infoblox and The Measurement
Factory found that DNSSEC-signed zones increased by about 300 percent between
2008 and 2009. In raw numbers, however, the amount of DNSSEC-signed zones is
small next to the total number of zones.
"Forward-thinking ISPs like Comcast have even announced DNSSEC trials
and full deployment plans," Mohan said. "Given these exciting
advancements, the next important area that requires attention to bring DNSSEC
to the end user is for the next level in the DNS change of trust to be