‹ Back
Deploy360 3 February 2012

Information Week on DNSSEC: Having the keys to your own castle is important

Dan York
By Dan YorkDirector, Web Strategy & Project Lead, Open Standards Everywhere

So there I was eating my lunch and reading a treeware version of Information Week (you know, those paper things we called “magazines” before everything went to e-something?).  Having always been interested in encryption, I started reading the “2012 Data Encryption Survey: Progress and Pain” (sadly, free registration is required to read the whole article) expecting it to be, well, all about data encryption…

… and it was – particularly starting off talking about the the challenges of using SSL/TLS with all the attempts to break SSL, and the multiple compromises at SSL certificate companies that have resulted in attackers successfully getting bogus, but valid, certificates asserting they were someone else.

Then all of a sudden I stopped eating my sandwich as the article took a sharp turn into the world of DNSSEC (and yes, I added some emphasis at the end):

Enter DNSSEC. The DNS Security Extension spec provides the capability for a domain owner–the IT team–to place additional encryption validation at the DNS layer. First it will verify that the SSL certificate is valid. But it also will verify that the DNS server that is authoritative for the domain being requested actually belongs to the certificate owner.

In our example, if a user went to the breached site and got a certificate, it wouldn’t validate with the DNS server hosting, because the certificate generated by the attacker using the hacked CA wouldn’t match. The browser could display a big red box telling the user he’s going to an invalid site. Currently, Google’s Chrome supports DNSSEC natively, and there are plug-ins for Firefox. Internet Explorer 9 doesn’t support DNSSEC, but version 10 is expected to.

The other benefit of DNSSEC is that DNS queries are validated by all servers–from the domain’s authoritative server to the local DNS server to the browser–which means that even man-in-the-middle attacks on DNS queries will be caught.

DNSSEC isn’t perfect, and it’s not a complete replacement for SSL/TLS. But it is a step in the right direction to put control of certificate verification into the hands of certificate owners, instead of the CAs. Furthermore, using DNSSEC is a great solution for organizations with their own internal CAs that don’t want to deploy certificates to every possible device. Most of our respondents, 55%, have their own internal CAs; an additional 15% plan to within 24 months.

Having the keys to your own castle is an important step in controlling your encryption destiny, and if you plan to leverage cloud services securely, it may just be a requirement.

Here, in just a few paragraphs, was a great explanation of an important role DNSSEC can play as another layer in the security infrastructure.  In this case, DNSSEC can be used to check the validity of the certificates being used for SSL/TLS.

More importantly, me being the control-freak that I am, the article points out the incredible importance of being in control of your own security.  You, as the domain owner, can be the one inserting the appropriate keys directly into the DNS infrastructure.  Or you can have someone do it on your behalf… but the point is that you are in control.

That’s a powerful capability!

What do you think?  Have you started looking at DNSSEC yet?  If not, check out the DNSSEC resources we’ve listed so far – and if you don’t find exactly what you need, please ask us about it and we’ll see if we can find something to help you.

P.S. For those wondering, the rest of the article provided some interesting discussion and statistics around encryption within cloud computing platforms and with the use of mobile devices such as tablets and smartphones. Oh, and I did eventually finish my sandwich. 😉

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

No, DNSSEC Would NOT Help Prevent Microsoft's Seizure Of Domains
Deploy3602 July 2014

No, DNSSEC Would NOT Help Prevent Microsoft's Seizure Of Domains

With a great bit of the tech media's attention this week on Microsoft's court-sanctioned seizure of 23 domains from dynamic DNS...

Rough Guide To IETF 89: DNSSEC, DANE and DNS Security
Rough Guide To IETF 89: DNSSEC, DANE and DNS Security
Domain Name System (DNS)27 February 2014

Rough Guide To IETF 89: DNSSEC, DANE and DNS Security

At IETF 89 next week in London there is a huge amount of activity related to DNSSEC, DANE and DNS security...

Rough Guide To ICANN 51: DNSSEC And The Root KSK Rollover
Rough Guide To ICANN 51: DNSSEC And The Root KSK Rollover
Domain Name System Security Extensions (DNSSEC)13 October 2014

Rough Guide To ICANN 51: DNSSEC And The Root KSK Rollover

How do we increase the security of the Domain Name System (DNS)? How can we expand the usage of DNS...

Join the conversation with Internet Society members around the world