A blog post has created some attention online through its extremely negative attitude to DNSSEC. Through the years, I have come in contact with many arguments against DNSSEC that suggest that anyone who is critical has not managed to or wanted to familiarize themselves with what DNSSEC is and does. We have received many questions concerning the article, so I feel it’s appropriate to respond to the criticism.

(This is a translated blog post. You can find the Swedish version here.)

* * *

Whether DNSSEC is worth the effort is a good question that deserves to be repeated and answered many times to increase the understanding of what DNSSC is, which problems it solves and which problems it does NOT solve. Up until 2008, there were many who felt that DNSSEC was not worth the effort, but then came Dan Kaminsky’s discovery and suddenly we had something that showed the economic benefit and former detractors switched sides.

DNSSEC is used to secure the domain name system from abuse and man-in-the-middle-attacks such as, for example cache poisoning. DNSSEC ensures the content in DNS with help of cryptographic methods that use electronic signatures. DNSSEC means that the user, doing a DNS lookup, through the validation of signatures, will be able to determine if the information that comes back in response comes from the correct source and if it has been tampered with on the way. It thus becomes difficult to falsify information in DNS that is signed with DNSSEC without it being detected.

Does not stop all scams

For the average person, DNSSEC means a decreased risk for becoming a victim of fraud when, for example, banking or shopping online because it is easier for the user to determine that they are communicating with the right bank or shop and not a fraudster.

It is, however, important to note that DNSSC does not stop all types of fraud. The function is only designed to prevent attacks where the attacker manipulates responses to DNS queries to achieve their goal. There are still many other security flaws and problems on the internet that DNSSEC does not solve, for example, attacks such as distributed denial of service (DDOS).

When it comes to phishing (pages that are similar or identical to the original to trick one into giving passwords and personal data) and pharming (redirection of a DNS query to the wrong computer) and other similar attacks against DNS, DNSSEC gives some protection. DNSSEC does not however protect against attacks on other levels, for example, attacks on IP or network levels.

Good addition

The author of the article belongs to a group that does not think DNSSEC contributes to security and think that TLS-certificates are more important. I would rather say that they solve completely different problems, but that DNSSEC has the potential to be a good addition to make certificate management easier.

In recent years there have been many, very serious attacks on certificates and a number of large certificate authorities, (CA). Therefore, there is reason to think about how one can best solve the problems that exist. We are talking about traditional security. The damage control at the CAs that have been hit by successful attacks has been varied. Some of the affected certificate authorities also acted both slowly and inadequately when it comes to conveying information to its customers and the outside world. They have simply demonstrated a lacking crisis management.

There are many who work with solutions. One of the most interesting initiatives is currently the one developed through the IETF working group DNS-based Authentication of Named Entities (DANE), the results of which are available as a finished standard and have been published as Transport Layer Security (TLS) Protocol: TLSA, RFC 6698.

With DANE, certificates are stored in DNS where it is possible to verify them. Trust goes to DNS using DNSSEC. The approach complements the certification authority’s signatures by supplementing or sometimes replacing the verification of the certificate with DNS. It helps to improve the quality of the certificate and therefore increases trust.

The method also makes it possible to skip the traditional certificate authorities and only rely on DNS in case you just want to verify the domain name and not which legal person is behind a service.

No new code required

The main advantage with DNSSEC is that it scales in several different dimensions. Because it inherits the hierarchical model from DNS, there is no limitation on how many active partners can be part of the infrastructure. And thanks to an arm length’s relationship to encryption, DNSSEC can change the way handshakes are implemented over time, without needing to introduce new code everywhere.

Thanks to DNSSEC’s dynamic nature for security connections, DNSSEC scales despite changes in the network.

It is possible that search engines like Google might prioritize websites with certificates when you do a search on the internet and that’s fine, but there are more services than the web that exists on the internet. You have e-mail, instant messaging, IP telephony, the internet of things, and so on. All of these use DNS to do lookups between IP addresses and domain names.

In internet context, DNSSEC is a relatively young technology, with 10 years behind it, and the protocol is changed through IETF’s work, algorithms, key lengths and other parameters that are also not static. It is something one chooses, according to best practice.

Well, I don’t have so many other comments remaining to the article. It’s obvious the author does not like DNSSEC. But to suggest that it is controlled by the government is more a sudden case of paranoia than the results of a relevant and reasonable analysis.

Natural development

So far there is no requirement for mandatory signing of domains with DNSSEC from .SE. We support the choice and we work with our registrars to encourage them to take the plunge. Together with the Swedish Civil Contingencies Agency (MSB), the Swedish Post and Telecom Authority (PTS) and the Swedish Association of Local Authorities and Regions (SKL), we contribute with support for municipalities to implement DNSSEC, including a guide to the introduction of DNSSEC.

Personally, I believe that the development will take that route because it is a natural development in order to strengthen the internet’s basic infrastructure. The arguments that speak favorably for DNSSEC are stronger, if you ask me.