‹ Back
Deploy360 30 April 2013

Can DNSSEC and DANE Help Make Voice-over-IP (VoIP) and Unified Communications (UC) More Secure?

Dan York
By Dan YorkDirector, Online Content

Can DNSSEC help make voice and video communications over IP more secure?  Could DNSSEC combined with DANE provide a means to more easily distribute the TLS/SSL certificates needed for VoIP phones and systems?  Can DNSSEC help ensure that you are talking with the correct VoIP system or application server?  Can DNSSEC improve the security of the many WebRTC-based clients being developed? How can a DNS-based public key infrastructure (PKI) help improved the security of IP-based communications?  (whether you call it “VoIP”, “unified communications”, “real-time communications” or just simply “telecommunications”)

These were among the questions that I set out to address in a presentation at the SIP Network Operators Conference (SIPNOC) 2013 last week in Reston, Virginia. Speaking to network operators ranging from large carriers and telcos to smaller “over-the-top (OTT)” startups, I used this set of slides to frame the discussion:

I also spoke about how two VoIP software products have already incorporated DNSSEC – the Jitsi softphone and the Kamailio server – and mentioned the new “DNSSEC and IP-based Communications” resource page I’m starting to build (and for which I would appreciate any suggestions).

I don’t necessarily have the “answers” to these questions (although I have opinions 🙂 )… I was more starting to raise the questions. The DNS community has been building this mechanism (DNSSEC) that provides a “trust layer” and can increase the security of DNS, as well as, via DANE, the entire TLS/SSL certificate infrastructure that we have come to rely upon.  How can we use these improvements to increase the security of IP communications?

For some further context, you may be interested in this recording I made on the topic:

I think there could be some good potential benefit here – and I’m looking forward to further discussions on this topic in the weeks and months ahead.  I’d love to hear your thoughts… either as comments to this post on our site or in social networks … or via direct email to me.

How could we use DNSSEC to increase the overall security of our communications infrastructure?


P.S.  I’ll also be appearing on the VoIP Users Conference (VUC) podcast on this coming Friday, May 3, 2013, to discuss these ideas within that community (to which anyone is welcome to join in). More details soon… 

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world