NEWS ANALYSIS: Domain Name System Security Extensions (DNSSECs), which have been mandated for all .gov sites and are moving into the commercial Internet, protect DNS servers against hacking and other malicious acts. Unfortunately, it's very complex. The new Sandia tool will make it easier for IT staff to deal with it.
The progress has been slow and painful, but network managers for government sites on the Internet are on their way to implementing Domain Name System Security Extensions, which is a system for providing authenticated Domain Name System information for IP address requests. The reason for DNSSEC is that hackers are able to insert bogus DNS information into the network and, as a result, direct users to fraudulent Websites.
Unfortunately, DNSSEC is highly complex. Few IT managers understand its workings, and even fewer understand why DNSSEC might fail. This complexity was made worse by the lack of any means of seeing what was happening within the DNSSEC process to discover why things weren't working. Now, Sandia National Laboratories
has developed a tool called DNSViz for visualizing and troubleshooting problems with DNSSEC.
Computer scientist Casey Deccio decided that understanding the ins and outs of DNSSEC was probably beyond the experience of most IT managers and he designed DNSViz to graphically display the DNS security status of any Website, including the full chain of trust down to and including the actual site itself. Anyone can use the tool to examine their own or any other site
. If you use Opera or Firefox to run the tool, you can get detailed information from each step of the trust chain by simply mousing over it.
Deccio also explains the details in a Sandia article
, and he demonstrates it in a video
to give you a better idea of how all of this works. Sandia worked with Comcast to create a site, www.dnssec-failed.org , that has bad domain information so that you can compare a properly configured site with one that's not. DNSViz users need to cut and paste this site address into the tool to view the problems that crop up when DNSSEC is improperly configured. If you want to see what a properly configured secure DNS site looks like, just use the DNSViz tool to look at the Sandia site.
Right now, chances are that your site isn't configured to take advantage of DNSSEC, but eventually, many sites will be, especially if they handle sensitive data. This might include banks, credit card companies and perhaps even e-commerce sites. Your local motor vehicles department or social services office should eventually be covered anyway if they use the .gov domain. But eventually, most top-level domains will move to DNSSEC if only to mitigate the efforts of online criminals.
Problem is, once you move into DNSSEC, you will need help, and that's why Deccio developed DNSViz. "It's a tool for understanding how DNSSEC works and how authentication works in DNSSEC," Deccio said. "I found this out as we began to validate other people's signed zones. When problems came up, it was hard to troubleshoot them."