A technology that would make the Internets Domain Name System hackerproof will become available to I-managers early next year – but it will still be several years before any secure DNS standards become widely used.
VeriSign, which operates the Nets dot-com, dot-net and dot-org name registries, hosts a secure DNS test bed for developers that uses an Internet Engineering Task Force protocol called DNS Security. Currently, VeriSigns DNSSec test bed is restricted to authenticating only a few sample domain names. But in the first quarter of 2002, the company plans to make a trial version of the service available to customers so they can start securing their dot-com names, said Warwick Ford, chief technology officer of VeriSign.
“Were removing the risk of manipulating the DNS,” Ford said. “This is work still in progress, but its a standards-track project.”
VeriSign has not yet settled on pricing or timing for the launch of the secure DNS service for dot-com or other top-level domain (TLD) names, a company spokeswoman said.
The DNSSec protocol – in the works for more than four years – is designed to stop DNS “hijacking,” which occurs when a hacker tampers with a sites DNS information and misdirects visitors to an alternate server. In recent years, several high-profile sites, including those of McDonalds and RSA Security, have fallen victim to such hacks, which send a user to a bogus Web site that appears to be the companys legitimate site.
DNS servers match a sites URL, such as “www.interactiveweek.com,” with its numeric IP address. DNSSec enhances that basic function, using a digital signature to verify that the IP address served up is, in fact, the authorized one.
But several hurdles need to be cleared before DNSSec becomes practical for many e-businesses. One problem VeriSign has encountered is that the current version of the DNSSec protocol requires each “zone” – the group of domain names included under one authoritative DNS server – to secure all of its subdomains at once. In other words, its all or nothing. That would present a huge operational problem in securing the dot-com TLD – by far the largest TLD, with about 25 million names.
To bypass this difficulty, VeriSign has drafted an “opt-in” extension to the DNSSec that will allow VeriSign to sign up the dot-com zone incrementally instead of all at once, said Mark Kosters, VeriSigns vice president of research. The opt-in proposal must still undergo IETF review, he said.
There is also a performance penalty associated with secure DNS transactions. An unsecured DNS response today is about 200 bytes, whereas a DNSSec response can be as much as 10 times that, said David Conrad, CTO of Nominum, which has developed the most recent versions of the Berkeley Internet Name Domain server. BIND runs an estimated 90 percent of the DNSes in use today.
Additional overhead, as well as the general complexities of introducing a new technology, will cause operators of the Internets root servers – the 13 authoritative servers that sit at the top of the DNS hierarchy – to shun a speedy adoption of DNSSec. “Root server operators are a very conservative bunch,” said Conrad, whose company provides operational support for two of the DNS root servers.
While DNS servers that are not secure are able to receive responses from DNSSec-enabled servers, those results would not be authenticated.
“Its one of those things where so much of it requires the entire Internet to support it in order for it to really work,” said John Pescatore, Gartners chief Internet security analyst. “From a security goodness point of view, its a really solid idea. But right now [without wider DNSSec acceptance], there isnt any glaring problem DNSSec solves for any individual company.”