Internet Society Briefing Panel at IETF 75
Securing the DNS: Leading the next step towards a more secure Internet
On the panel
- Patrick Wallström - .SE – the Country Code Top Level Domain (ccTLD) operator for Sweden, one of the first to deploy DNSSEC. See: .SE DNSSEC Experience (PDF: 1.2MB)
- Richard Lamb - ICANN – the non-profit corporation overseeing many vital aspects of Internet technical administration, including the Root DNS zone. See: DNSSEC at the Root: Opening the Door to Opportunity (PDF:38KB)
- Olaf Kolkman - NLnet Labs – See: DNSSEC: Let's grow us a chicken (PDF: 1.9MB)
- Leslie Daigle - The Internet Society – a nonprofit organisation providing leadership in Internet related standards, education, and policy. See: Securing the DNS: An ISOC briefing panel (PDF:240KB)
- Jim Galvin - Public Interest Registry – the operators of the .ORG Registry which recently deployed DNSSEC and signed the .org domain. See: .ORG & DNSSEC (PDF:246KB)
- Matt Larson - Verisign – one of the world’s leading providers of network infrastructure services, including two of the root name servers and digital certification. See VeriSign's DNSSEC Plans for .com, .net and the root (PDF:149KB)
As the pre-eminent identifier system of the Internet, it is important that the domain name system (DNS) functions effectively, efficiently, and correctly. DNS is used, chiefly, to translate commonly visible domain names (e.g., in website and e-mail addresses) to network addresses. In order to work on the scale of the global Internet, the DNS is necessarily a highly distributed system, with domain name holders arranging for the management of the translation of their domains to network addresses. While this highly distributed nature allows for the information to be updated close to the authoritative source (e.g., the domain name holder), it also means that any given name-to-address translation will require interactions with multiple independent servers outside of your network. For your browser to be able to reach www.google.com, you rely on a number of DNS servers to be configured properly, respond quickly, and to give your device up to date, correct information. You know what service you want to reach at that address, and Google Inc is certainly interested in ensuring you get there.
All of this works today, and has worked for years, because of general adherence to operational best practices for DNS services, and general goodwill of DNS operators to provide fast, efficient and effective DNS services. In general, much has been done to address DNS errors due to misconfiguration or software issues, and today's overall Domain Name System service is quite robust. However, as the world's commerce and government activities increasingly rely on the Internet as a critical foundation for their services, it becomes equally important that there is confidence that the network address you receive for a service is, in fact, the one that service wanted you to use. You want to be able to ensure that you have the authentic address for www.someservice.com -- the one SomeService Inc intended you to have. It is this specific authentication step that is enabled through the use of "DNS Security" (DNSSEC) technology.
With DNSSEC, SomeService's DNS entries (the domain name to address mappings) are cryptographically signed, and SomeService's public key is published, so that your software can authenticate the result it gets back. If the authentication fails, you know that, through misconfiguration or malfeasance, the answer you got back may be wrong, and should not be trusted.
There is even more value than that in the authentication process. The DNS has largely worked reliably for years, but there are well known issues of Internet abusive activities including spam and phishing. The technologies and services being developed and deployed to detect and reduce the impact of these abusive activities will themselves rely on having reliable (authentic) results from the DNS.
While DNSSEC technology has been in development for over a decade, the Internet is now reaching an important milestone -- DNSSEC is no longer an academic pursuit or a hypothetical service. Major gTLDs are adopting it, and there are plans to sign the root of the DNS by the end of 2009. These are required steps in order for individual domains to be able to adopt DNSSEC themselves. DNSSEC, like every other piece of Internet technology, is a building block: its use and ultimate success depend on what services are built with it. But, with these steps underway, Internet and commercial development can explore the possibilities made available within a more robust environment.
Frequently asked questions about DNSSEC
What is DNSSEC, exactly?
DNSSEC is an extension to the DNS specification that permits the cryptographic signing of DNS records, using public key technology. DNSSEC public keys are stored in the DNS, as well. Together, this allows DNS zone maintainers to provide signed DNS results, and DNS resolving software to authenticate the results. This does not prevent other forms of DNS issues -- such as denial of service attacks on servers, misconfiguration, hijacking of responses, etc. However, in the latter case, it does allow the client resolver to ascertain whether the result received should be trusted, and act accordingly.
Why do we need DNSSEC? This is a fix - but is it broken?
Prior to the publication of the Kaminsky attack vector, it is fair to say that there was complacency in the Internet world as to the operation of the global DNS. Robust DNS server software is easily available. Support for configuration is available. Services are generally reliable. However, the Kaminsky attack demonstrated that there are real threat vectors for undermining the integrity of the DNS. DNSSEC does not provide a total answer to DNS security -- operationally sound services are still required. However, as technologies increasingly rely on accurate and authentic results from DNS, the status quo of security is not sufficient.
But, it's so complex! How will I ever deploy it?
Like all new Internet technologies, DNSSEC is different and requires different management routines and software for validating results. The impact of DNSSEC will not be felt overnight. However, as adoption increases, more tools and support materials will become available, and DNSSEC should appear no more complex than any other part of standard Internet technology.
What can I do, today?
There are several TLDs that are supporting DNSSEC today, as well as registrars. Check if yours does. If yes, you can sign your own zone(s) today. If not, it's just a matter of time. If you are an Internet software or services developer, you should be exploring the appropriate support for reviewing results from queries against signed zones, and making use of this new data authentication ability.
So much to do! Is general DNSSEC deployment realistic?
Again, as with any new Internet infrastructure technology change, there are complexities to be worked out -- in terms of ensuring appropriate configurations, treatment of results, best practices for operations and software. However, major TLDs and DNS software services are committed to ensuring this security technology is available. As with any deployment: the Internet will take it one step at a time, until we look back and wonder how we ever lived with out it.