DNSSEC Adoption Needs to Grow to Secure Core Internet, Protocols

DNSSEC is capable of securing other Internet protocols, not just the DNS communications, but adoption has been lagging and needs to be more widespread.

NEW YORK - Internet stakeholders need to move forward with securing the core infrastructure by adopting DNSSEC, a security expert said at the International Conference for Cyber-Security.

DNSSEC, or Domain Name System Security Extension, does not solve "all the ills" of the Internet, but it is a powerful tool that would improve the security of the Internet, Richard Lamb, a DNS security program manager at the Internet Corporation of Assigned Names and Numbers (ICANN), told attendees at the International Conference for Cyber-Security in New York Jan. 11. DNSSEC also adds a layer of security to the underlying infrastructure that can be extended to other applications, Lamb said.

DNSSEC is security protocol designed to add keys to the domain name hierarchy that defines the Internet and digital signatures to secure the transmission of data between Internet service providers and Domain Name System servers. Governments, major Internet organizations such as the regional Internet registries and ICANN, along with the security community have been supportive of deploying DNSSEC, according to Lamb.

Once it is widely deployed, DNSSEC can be "repurposed" to secure other protocols, such as voice-over IP and Secure Sockets Layer, Lamb told attendees.

To understand DNSSEC, Lamb walked attendees through DNS, the Internet's phonebook. A user wants to go to the majorbank.com Website, but the user's computer doesn't know which machine that is, because it's not a system on the local network. The request is passed on to the ISP, which communicates with a DNS server to find the IP address of majorbank.com. The DNS server sends the IP address back to the ISP and the ISP can now direct all user requests to that server. Since the ISP caches the data, it can route all requests to the correct machine without having to talk to the DNS server again, Lamb noted.

The "Internet did not originally have security designed into it," Lamb said, noting there was a serious flaw in how the system worked.

If a malicious DNS server sent the ISP a different IP address for majorbank.com before the real DNS server, the ISP cached the malicious address and directed all requests to the wrong machine. As a result, the DNS cache has been poisoned and users are vulnerable to a wide range of attacks.

DNSSEC uses cryptographic signatures to secure communications with the DNS server. Since the address sent back from the malicious DNS server wouldn't have the correct digital signature, the ISP would know it had been tampered with and drop the response and wait for the correct one.

Once deployed, the globally trusted key infrastructure could be used as an authentication platform to secure other Internet protocols, such as the network, email, SSL, VOIP, WiFi, and Web content, Lamb said. Certificate Authorities can use DNSSEC to secure their certificates, Lamb suggested.

There are "yet-to-be-discovered security innovations, enhancements and synergies," Lamb said.

"The technology is fine, but there have been some problems in deploying it," Lamb said, noting that DNSSEC has been deployed on less than 1 percent of the Internet and on only 82 out of 312 top-level-domains. TLDs with DNSSEC include .com, .net, .org and .gov.

ICANN deployed DNSSEC on the root in July 2010. It was the "biggest upgrade to the Internet's core infrastructure in 20 years," Lamb said. ICANN manages the root key, which is stored in secure key management facilities in Virginia and California with several layers of security, strong cryptographic protection and physical measures such as biometrics, according to Lamb.

DNSSEC needs to be "widely deployed across domains," and that will happen once registrars and ISPs get involved.

There are a lot of bureaucracy, fear and trust issues about changing the guts of the Internet and many excuses not to begin, according to Lamb. It is "hard to change anything that hasn't had to change since 1983," Lamb said, especially when it seems like the system is working fine.

Comcast just finished rolling out DNSSEC on its network, automatically offering DNSSEC-validating DNS servers to more than 17.8 million residential customers who use Comcast Constant Guard from Xfinity, Jason Livingood, vice president of Internet systems at Comcast, wrote on the ComcastVoices blog Jan. 10. The Internet service provider has also cryptographically signed all of the domains owned by the company, which number more than 5,000 domains, said Livingood.

This announcement makes Comcast the first large ISP in North America to have fully implemented DNSSEC, according to Livingood.

Lamb praised the recent Comcast news and noted that a "perfect storm" of recent events has increased interest in DNSSEC and driven adoption. Government plans, such as the National Strategy for Trusted Identities in Cyber-Space from the White House and Sweden's e-ID program, have spotlighted the need for protecting online identities. The recent breaches with various certificate authorities highlighted the weaknesses in the Secure Sockets Layer protocol, and as networks "become smarter," through the use of sensors for smart grids and through ready access to online data, there has been an "impetus" to improve DNS, Lamb said.

"DNS and DNSSEC are part of all these ecosystems," said Lamb.

The third annual International Conference on Cyber Security: A White Hat Summit is a joint effort between the Federal Bureau of Investigation and Fordham University. Leaders from law enforcement, industry and academia discuss cyber-crime and real-life operations during the conference, which runs from Jan. 9 to Jan. 12 on the Fordham University campus in New York.