You may have seen media reports a few weeks ago describing how servers behind the so-called Great Firewall of China were found delivering incorrect DNS information to users in the rest of the world, thereby redirecting users to edited Web pages. Reports indicate that this apparently occurred due to a caching error by a single Internet Service Provider. While the problem was fairly limited in scope, it could have entirely been prevented in a world where DNSSEC was fully deployed.
This most recent event highlights the pressing need for adding security in the domain name system. There is currently no comprehensive way to check whether the DNS information your computers receive are genuine, meaning users could find themselves directed to Web sites belonging to hackers or, as in this case, to pages managed by an ISP or Network service provider.
This will not be the case for much longer. DNSSEC, an Internet standard which allows DNS resolvers to check the validity of DNS data, is now ready to be deployed. Over the next 12 months, many of the necessary infrastructure pieces will fall into place to enable enterprises, ISPs and application developers to use DNSSEC to defend their networks and their users.
For those of you who don't know what DNSSEC is, here is a one-paragraph technical description. Domain names and top level domains that are signed with DNSSEC, provide each request for a DNS query with digitally signed response, and these signatures can be validated against public keys all the way up the DNS hierarchy to a "trust anchor" published at the DNS root. This anchor will become available in July, when ICANN signs the root zone. Domain name owners can sign their own domains, or can assign it to trusted providers to be signed and managed. These keys are regularly updated and "rolled over,"making it difficult to hack or steal them.
At Afilias, we're very excited about DNSSEC. In June 2010, the Public Interest Registry will begin to accept signed second level .org zones in the world's largest signed zone to date. This is a proud moment for us as we are the back-end registry systems and DNS provider for .org. What this means is that owners of .org domains will be able to create their own keys and upload them for validation by nameservers globally. These signed .org domains will be among the first on the Internet that can substantially mitigate DNS traffic hijacking or man-in-the-middle attacks when the rest of the Web begins using DNSSEC for validation. As resolvers adopt DNSSEC worldwide, this security measure will become more and more effective.
As a serious provider of registry and DNS technology, Afilias has devoted years to developing DNSSEC solutions, built a global DNSSEC test bed to work out the kinks in the protocol, and measured the protocol's effects in controlled test environments. We're publishing our data and results in an open manner, so others can learn from our experience and become proficient in DNSSEC deployment also.
Internet Service Providers
ISPs have already recognized the potential of DNSSEC and are getting on board. In the US, Comcast recently announced a DNSSEC pilot for its subscribers. Any user can instantly sign up to use DNSSEC today, by manually pointing their resolvers to Comcast's DNSSEC compatible name servers.
The company will also sign its own zones, such as comcast.com, within the next 12 months. By the end of next year, it will have deployed DNSSEC to all of its name servers, making security a basic part of the Internet's plumbing for its users. Comcast knows that early adoption puts it at a competitive advantage, and other ISPs will certainly follow its lead.
Organizations with strong Web presences should take advantage of this support for DNSSEC by signing their own domains as soon as it is feasible. A signed zone, validated by a compatible resolver, significantly reduces the risk of the user DNS traffic being hijacked (also known as "pharming" attacks) which can cause brand damage for companies that conduct business online.
Deploying DNSSEC can be challenging; there are technical, business and ROI issues to take into consideration. But service providers are making this complex technical task simpler. For example, registrars like NamesBeyond and Dynamic Network Services have built easy-to-use Web interfaces that simplify the process of signing and managing DNSSEC domain names. DNS operators like Afilias are working on solutions that allow enterprises to outsource their DNSSEC hosting to their cloud-based managed DNS platforms. DNSSEC will soon become a commercial necessity for any company doing business on the Internet, especially during the early adopter phase when it will be a positive competitive differentiator. Consider investing the effort now to become a market leader.
The .com zone is expected to be signed in the first quarter of 2011, but for more than half a year before then the opportunity to get to grips with DNSSEC in the .org zone will be there for the taking. This means a ripe testing period with the ability to collect production-level data about your enterprise's readiness before you sign your .com domain.
Although your organization's signed DNSSEC zone will benefit from ISP support, it still represents the tip of the iceberg. For DNSSEC to be fully effective, it needs to be deployed as close to the end user as possible. All applications that use the Internet and its underlying DNS infrastructure have to smarten up to recognize the difference between a DNSSEC-validated domain and a non-DNSSEC domain name. Just as your Web browser can tell if that ecommerce site you are using is secure (SSL protected) or insecure (non-SSL protected), web and Internet application vendors need to write software to integrate the "chain of trust" that DNSSEC brings forward.
If web surfers use Internet Explorer, for example, their address bar will turn green and a padlock icon will appear when they visit a web site secured by SSL technology. This visual cue permits users to trust that their sensitive transaction data will not be intercepted while they perform their banking or online shopping transaction.
What SSL does not do is tell the Web user that it is really your bank or online store they're sending the encrypted information to. A site could be SSL encrypted, but controlled by malicious hackers. The job of validating the domain itself can be carried out only by DNSSEC. While SSL secures the contents of the site, DNSSEC will tell you whether it's actually the correct site.
Imagine a future Web, where browsers automatically validate domains using DNSSEC, and inform users that they are on the real site they intended to visit. Imagine applications that can tell when users are being hijacked while traveling to the link they clicked in their Twitter feed. DNSSEC enables that. Just as users were able to rely on safe and fast technology when they see the "Intel Inside” logo on their computers, the time is coming when Internet users will be able to rely that the site they are on is validated because it has "DNSSEC Inside”.
When DNSSEC is more widely deployed, users might expect to be actively informed when there is a problem authenticating a domain, in much the same way as browsers currently alert them to problems with SSL certificates. For organizations that are trying to keep market share of their browser solution, deploying DNSSEC could be another differentiator.
DNSSEC creates an entirely new piece of Internet infrastructure upon which software developers can apply their ingenuity. Over the next few years we should expect to see applications leveraging domain name security in ways we cannot imagine now.
DNSSEC is not pie-in-the-sky talk any more. It's a reality as current and pressing as the need to migrate to IPv6. Whether you are a registrar, registry, ISP, enterprise or developer, if you haven't started planning for DNSSEC yet, you should start to wonder whether you're behind the curve.
By Ram Mohan, Executive Vice President & CTO, Afilias
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Minds + Machines
Neustar DDoS Protection