Vendor Pushes DNSSEC as a Fix for DNS Security

Secure64 Software is releasing software it says will drastically reduce the complexity, security and scalability issues that have slowed the implementation of DNSSEC. The recent discovery of a flaw in the DNS protocol by security researcher Dan Kaminsky has led to revived public discussion of DNSSEC as a solution to DNS cache poisoning attacks.

Between the press attention and the release of attack code for the Domain Name System protocol flaw revealed in July, DNS security has been front and center for many in the industry.

Concerns about the DNS bug, discovered earlier this year by security researcher Dan Kaminsky, have revived interest in DNSSEC (domain name server security extensions). DNSSEC is a set of extensions to DNS that provide origin authentication of DNS data, allowing DNS servers to ensure that the data in a reply came from where it claims to have. Long considered a solution to DNS cache poisoning, challenges around implementation have kept it from being widely adopted.

Secure64 Software is hoping to change that. The company, founded in 2002, is launching Secure64 DNS Signer in the second half of September with an eye toward addressing commonly cited technical barriers to DNSSEC implementation-complexity, security and scalability.

"DNSSEC has suffered from a -chicken and the egg' problem for many years," explained Mark Beckett, the Greenwood Village, Colo., company's senior vice president of marketing. "Domain owners that sign their zones have no guarantee that an end-user will actually receive the authentic DNS data and not some forged data from an attacker. The only way the end-user will be protected from forged data is if the end-user's ISP is DNSSEC-enabled and can validate the answer from a signed domain, but ISPs have no reason to enable DNSSEC unless there are actually signed zones out there to validate."

In regards to the issues of simplicity, he continued, Secure64 DNS Signer has been designed to completely automate the processes of key generation, key storage, key backup and restore, key publishing, key rollover and zone signing-essentially breaking implementation down to adding a single statement to the configuration file.

Using the Trusted Platform Module on-board the server hardware to generate a root key, the product creates, encrypts and stores private KSK and ZSK keys securely online for use in zone signing. Signer generates and keeps in reserve a spare KSK and ZSK for each zone so that if a published KSK or ZSK were to be compromised, the administrator can issue a command that rolls the key to the spare.

"To achieve scalability of up to hundreds of thousands of zones and millions of records, Signer employs high-speed cryptographic algorithms that provide over 6,000 RSA operations per second with a 1024-bit key," Beckett said. "In addition, Signer can be configured to sign zones either in bulk or incrementally, making it possible to deploy it in the largest and most dynamic environments without compromising existing update intervals."

Ram Mohan, CTO of Afilias, said once DNSSEC is implemented end-to-end, it will completely protect against the kind of flaw discovered by Kaminsky. Afilias provides registry services for a number of domains, including .info, .aero and .org. According to Mohan, Afilias plans to use Secure64's technology as a hardware-based way to sign certificates and to sign the .org domain itself in the .org zone.

"With seven million names in .org, it would be a significant strengthening of the core infrastructure on the Internet if .org had the base that would allow for DNSSEC to be supported," he said.