DNSSEC: Protection You Need but Can’t See

Almost sixteen percent of the global population has Internet access, up nearly 200 percent between 2000 and 2005 according to data compiled by Internet World Stats.  Growth has been fastest in Africa (423.9 percent) and Middle East (454.2 percent), followed by Latin America and the Caribbean (342.5 percent), but all world regions saw growth in excess of 100 percent in those five years.  More people than ever – and presumably more people of a wide variety of skills and sophistication – now use the Net.  And most users trust the Internet’s system of domain names, which maps easily remembered names to numeric Internet Protocol (IP) addresses, and expect to be directed reliably to the website they’ve entered in a browser.

Unfortunately, that’s not always the case. Attackers can disrupt the domain name system (DNS)  by intercepting transmissions or by gaining illicit access to servers on the network to tamper with DNS information. The ability to redirect unsuspecting users to other domains leaves open risks for fraud in electronic commerce or attacks on the Internet infrastructure, where most end users cannot prevent or even detect them.

Serious DNS attacks are a reality.  In June 2006, Michelle Baltazar reported in the Financial Standard that a Deloitte Global Security Survey found that “more than three-quarters of the world’s leading 150 finance groups suffered a serious security breach in the last 12 months.” These attacks resulted from both “phishing,” where an e-mail message is used to decoy end users to false sites, and the more insidious “pharming,” where a DNS attack re-directs users to a bogus site.

The good news is that security measures are underway in a global, cooperative effort to help DNS perform as people expect it to – in a trustworthy manner. Since the 1990s, the international technical community has been working on the Domain Name Security Extensions (DNSSEC) protocol through the standards setting process of the Internet Engineering Task Force (IETF) after several well-respected voices demonstrated the existence and gravity of the threat.  The standard was published in October 2004 and deployment on an international scale has begun. 

How DNSSEC Works

DNSSEC introduces digital signatures throughout the DNS hierarchy, which begins at the root and extends through the top level domains (the generic TLDs like .COM, .NET and .INFO, and the country codes like .MX, .BR and .CL) to individual zones. DNSSEC establishes that the binding between a domain name and its resource records, including its IP addresses, has not been compromised. It can be used to trace the addresses used for web and email servers back to the bona fide owner of the domain; to provide authoritative evidence that a binding is bogus; or to show that a specific domain name or resource type does not exist. Applications such as web browsers and email systems can use the digital signatures to provide new services for their users.  

Deploying DNSSEC in a zone is a two-step process.  The key that signs the zone information (the zone signing key) is itself signed, and the private part of the key pair (the key signing key) is then held by the parent zone, so that any DNSSEC- compliant system that requests information from a DNSSEC-compliant zone can validate the key.  This creates a chain of trust all the way up the DNS hierarchy, eventually to the root.  Both key pairs, the zone signing key and the key signing key, must be changed, or “rolled over”, at regular intervals or, if compromised, on an unscheduled basis.  “Key rollover” remains a research concern,  Moreover, it is possible to “walk a zone”, enabling someone to discover the entire contents of a zone file, which can present challenges to privacy and data security.  An international group of developers is working through both problems within the IETF process. Finally, signing the root and managing its keys are critical to deployment and efforts are underway to do so.

Status of DNSSEC Deployment

The Swedish National Registery (.SE) became the first top level domain (TLD) to deploy the protocol in September 2005.  The European infrastructure services organization, RIPE NCC, has also begun deploying DNSSEC in its zones, and .AERO, a sponsored TLD in the aviation transportation services sector based in Geneva, has announced plans to do so as well. Interest is high and ICANN, among others, has sponsored regular workshops providing a forum for education and outreach.  Recently, for example, NIC Mexico and Tecnológico de Monterrey Campus Monterrey launched the DNSSEC Trial México in anticipation of a future migration to DNSSEC in the .MX ccTLD.

The U.S. Department of Homeland Security leads U.S. efforts to secure the domain name system and supports the DNSSEC Deployment Initiative, which works with many nations and organizations in the public and private sectors to encourage adoption of DNS security measures.  VeriSign; PIR, which operates the .ORG TLD; NeuStar; and Internet2, a consortium of the U.S. major universities with ties to U.S. federal labs and Canadian research institutions, have participated or are participating in pilot projects.

From an organizational perspective, operational overhead can probably be absorbed within existing organizational frameworks. However, the protocol does bring with it some new procedures and can be temporarily disruptive.  Early adopters observe, though, that deployment can be accommodated through the natural upgrade cycle and offers an opportunity to rationalize sometimes ad hoc legacy systems. 

Next Steps  

Refinements to the protocol are needed to address key rollover and zone walking. Understanding performance and measuring the impact of the protocol on existing operations pose aanother challenge; the potential impact of deploying DNSSEC varies by what part of the transaction is considered, the number of domain names in a zone and the amount of information about each domain name. Researchers at the U.S. National Institute of Standards and Technology, among others, are investigating these issues; a webpage summarizing available information is available at:  http://www-x.antd.nist.gov/dnssec/dnssec-perform.html.  Finally, efforts to date have resulted in a number of tools (see http://www.dnssec-deployment.org/TK) but there are still some gaps.   Moreover, substantial work is still needed to make these tools easier to use.  

Amy Friedlander (Shinkuro, Inc.) and Denise Graveline (Don’t Get Caught)