Deploy360 24 October 2014

DNSSEC Is A Building Block, Not A Magic Bullet

By Dan YorkDirector, Internet Technology

Olaf KolkmanSpeaking at Broadband World Forum (BBWF) in Amsterdam this week, our CITO Olaf Kolkman was quoted as saying a key point we’ve been emphasizing throughout our work:

“There is no magic solution to any cyber security or internet security type of threat. But there are a number of building blocks that are promising.”

They include domain name system security extensions (DNSSEC), which help to secure certain kinds of information on networks.

“But they’re building blocks, they’re not magic bullets,” he said.


When we speak about DNSSEC or TLS  or BGP security, we are often immediately met by detractors with “But it doesn’t do ______” which, in their minds, immediately disqualifies the technology from further usage.  Often this is said, even though DNSSEC/TLS/BGP was never intended to do whatever it is they want.  They just expect the technology to magically do it all!

For example, with DNSSEC, some people immediately say “but it doesn’t protect against the confidentiality of your DNS queries!”  Well, no, it was never intended for that.  DNSSEC is entirely about protecting the integrity of your DNS queries, i.e. ensuring that the information you receive from DNS is the identical information that the operator of the domain put into DNS.  That’s it.  Confidentiality of DNS queries is something completely different! (And is now being discussed by the new DPRIVE working group inside the IETF.)

And by being a smaller building block, DNSSEC can be built upon to bring about powerful new innovations such as the DANE protocol, where we can add an additional layer of trust to TLS / SSL certificates and interactions.

What has made the Internet work so well on a technical level and evolve into the amazing communications medium that it has become is the fact that it is built from small building blocks that are then loosely coupled together in ways that make sense.

Building blocks, not magic bullets!

P.S. And if you want to get started with security building blocks like DNSSEC, please visit our Start Here page!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...