Skip Links

Will 2012 be the dawn of DNSSEC?

Comcast first U.S. ISP to deploy emerging standard, but cybersecurity experts hope others will follow

By , Network World
January 18, 2012 03:26 PM ET

Network World - Will 2012 be the year when U.S. retailers, banks and content providers finally bolster their DNS systems with an add-on security measure that prevents Web site spoofing? That's what advocates of the security measure - dubbed DNSSEC for DNS Security Extensions - are hoping will occur.

Cybersecurity experts are urging IT departments to invest in DNSSEC now - before a high-profile attack occurs that could have been prevented by readily available DNSSEC-compliant appliances, software and services.

Already, the new year has brought one major DNSSEC announcement: Comcast said last week that it was the first ISP in North America to provide resolution services for DNSSEC queries.

RELATED: Sandia Labs touts DNSSEC tool

At issue is whether the Comcast announcement will spark action by rival ISPs, Web site operators, enterprises and software developers to invest in readily available solutions to a gaping problem in the DNS.

"We're at the early stages of DNSSEC deployment," admits Matt Larson, vice president of DNS Research at Verisign, which operates the .com, .net and .gov domains that all support this emerging security standard. "DNSSEC is not on anybody's radar screen yet...There has not been a security event that people have seen that has spurred on adoption."

"We believe DNS security will become more important in the coming year," says Richard Jimmerson, director of the Internet Society's new online resource Deploy360 that provides practical information about deploying DNSSEC. "If you're serving up information on the Web, you want to make sure that your customer, client or visitor is getting what you intended. We see more examples of fraudulent commerce and hijacking of content. This is becoming much more of a problem."

What is DNSSEC?

DNSSEC solves what's called the Kaminsky vulnerability, a fundamental flaw in the DNS that was disclosed in 2008. This flaw makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing.

DNSSEC prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

DNSSEC works best when it is fully deployed across the Internet: from the root zone at the top of the DNS heirarchy, to individual top-level domains such as .com and .net, down to individual domain names. Until that happens, Web sites remain vulnerable to Kaminsky-style attacks.

Also needed for DNSSEC adoption are ISP and enterprise networks that can resolve DNSSEC queries as well as browsers and other Web applications that inform users when validation fails.

Much of the DNS infrastructure is now ready to support DNSSEC queries, but ISPs and enterprises have been slow to adopt it.

The Internet's root zone was signed in mid-2010, which was the first step towards end-to-end DNSSEC deployment. Several key domains - including .gov, .org, .edu and .net - began cryptographically signing domains in 2010.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News