ICANN Promotes DNSSEC for Internet Security

Adoption of DNSSEC has been slow, but ICANN is pushing for it as a way to improve Internet security.

The Internet Corporation for Assigned Names and Numbers is joining those calling for DNSSEC as a security blanket for the Internet.

In remarks June 21 during ICANN's 38th international meeting in Brussels, ICANN CEO Rod Beckstrom contended that DNSSEC (Domain Name System Security Extensions) needs to play a key role in protecting the Web.

"The Internet and the DNS are central to global communications, industry, communities and the world economy," Beckstrom said. "ICANN consults widely within the community on cyber-security issues that relate to the DNS [Domain Name System]. We have moved ahead vigorously on a number of key security initiatives, including the DNSSEC root signing now taking place."

DNSSEC adoption has been slow in the past, but is now gaining steam. According to Afilias CTO Ram Mohan, a number of large top-level domains have committed to deployment, and the root and all the major gTLDs (generic top-level domains) will be signed by the middle of 2011.

"DNSSEC is meant to solve the man-in-the-middle attack where a third party can get between you and the location you are trying to go to via the DNS," Mohan said in an interview with eWEEK. "DNSSEC introduces digital signatures to the DNS infrastructure and can provide users with effective verification that their applications, such as Web or e-mail, are using the correct addresses for servers they want to reach."

Mohan continued, "When DNSSEC is deployed, it will ensure that you cannot be spoofed or hijacked once you go to a particular destination. ... Websites, applications, e-mail-everything that is on the Internet depends upon the DNS. DNSSEC secures the infrastructure layer of the Internet in a way that no other technology can do."

The primary reason DNSSEC adoption has not advanced until recently is that it was not deemed important by the Internet community at large, Mohan said. That changed in 2008 when security researcher Dan Kaminsky uncovered a serious protocol vulnerability in the DNS.

"Until the Kaminsky bug happened, DNSSEC deployment was going slowly," Mohan said. "There was a lack of urgency and no reason to move forward with deployment. Kaminsky demonstrated just how huge a hole the DNS had and how DNSSEC was the only way to plug the hole.

"Network Service providers, or ISPs, are probably the most critical key to unlocking DNSSEC. Their servers respond to most of the DNS queries around the globe and pass those responses to end users ... Registrars and Web hosting providers are a critical piece because they are the gatekeeper to the end domain name owner. They manage the critical piece of taking the keys and the signature and sending it up to the registry and root system. They have to deliver the data both upstream and downstream."

Network hardware manufacturers are the final piece of the puzzle, Mohan said, and existing routers have to be upgraded.

"A little-known fact is that the DNS is not run on PCs, but routers. Just like you wouldn't run Word 2007 on a 486 computer, you wouldn't run DNSSEC on a 10-year-old router," he said. "But in actuality, home users typically rely on much older routers that may not be able to process DNSSEC requests properly. Therefore router manufacturers or the ISPs that provide home users with their hardware should be planning hardware upgrades to ensure [that] the routers their customers have can handle DNSSEC and the next generation of our DNS system."

Research released in November 2009 by Infoblox and The Measurement Factory found that DNSSEC-signed zones increased by about 300 percent between 2008 and 2009. In raw numbers, however, the amount of DNSSEC-signed zones is small next to the total number of zones.

"Forward-thinking ISPs like Comcast have even announced DNSSEC trials and full deployment plans," Mohan said. "Given these exciting advancements, the next important area that requires attention to bring DNSSEC to the end user is for the next level in the DNS change of trust to be fully compliant."