DNS security reaches 'key' milestone

Virginia event is precursor to DNSSEC roll-out on the root zone

The dream of bolting security onto the Internet's Domain Name System takes one step closer to reality Wednesday as Internet policymakers host a ceremony in Northern Virginia to generate and store the first cryptographic key that will be used to secure the Internet's root zone.

The dream of bolting security onto the Internet's Domain Name System takes one step closer to reality Wednesday as Internet policymakers host a ceremony in northern Virginia to generate and store the first cryptographic key that will be used to secure the Internet's root zone.

This key ceremony is one of the final steps in the deployment of DNS Security Extensions (DNSSEC) on the Internet's root zone. DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

80% of government Web sites miss DNS security deadline

"The key ceremony will generate the master root key, the key that signs all the other keys," explains Ken Silva, CTO of VeriSign, which operates two of the Internet's 13 root servers along with the back-end systems that power the .com and .net top-level domains. "This is being done a month before the actual roll-out of DNSSEC so that we have a valid key and that we can test with it."

DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is widely deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

Today's key ceremony is being hosted by the Internet Corporation for Assigned Names and Numbers (ICANN) in a secure data center in Culpeper, Va., outside of Washington, D.C. A similar key ceremony will take place in Los Angeles in early July.

The key ceremony will demonstrate the set of procedures that the Internet engineering community has created to generate and store keys for the root zone in a secure way. Attendees will include ICANN staff and DNS experts from around the world. The key generation and storage process will be audited.

"People from all over the world will be part of the process of creating the key for the top level of the DNS," explains Steve Crocker, an Internet security expert and CEO of Shinkuro. "They will witness and be able to report that the proper procedure was carried fairly and scrupulously."

The two key ceremonies are among the last steps before production-scale deployment of DNSSEC on the root zone, which is scheduled for July 15.

Between now and July 15, the root server operators will conduct additional testing of DNSSEC.

"We're testing as many possible corner cases that we can imagine," Silva says. "We're trying to test every permutation of key sizes, key roll-over, key expiration and all those kinds of issues. We're testing to see how the system responds and whether our monitors and detection can catch those sorts of things."

Silva says the testing is going well, thanks to new monitoring capabilities that were added to the root servers.

"We've very pleased with the additional monitors that we put in the root infrastructure," Silva says. "There are a lot more parts in the root zone now. We have keys in there. We have trust anchors in there. There's a lot of new material in the root zone, and the traditional monitors were making sure that names were consistent and the syntax was right. Now we have additional information, so we've expanded the monitors to look for expired keys, invalid keys, keys that have not been properly signed and all of those kinds of things."

Kaminsky bug drives DNSSEC

DNSSEC has gained a groundswell of support since the Kaminsky bug was discovered in 2008.

A handful of countries — including Sweden, the Czech Republic, Puerto Rico, Bulgaria and Brazil — already support DNSSEC on their country-code domains as does the .org domain for non-profit organizations.

The U.S. federal government is in the midst of deploying DNSSEC on the .gov domain. Next up are .edu, which will be cryptographically signed in July, followed by .net in November and .com in March 2011, VeriSign said. Once the root zone is signed, top-level domains that support DNSSEC can offer end-to-end security to their Web site operators.

"We expect a flurry of activity as people in Sweden, Brazil and other countries deploy DNSSEC," Silva says. He adds that as much as 50% of DNS queries can support the DNSSEC standard due to default settings on popular DNS software.

So far, Internet security experts have seen no technical roadblocks to the deployment of DNSSEC from the root servers on down.

"It's been pretty smooth," Crocker says of the DNSSEC roll-out on the root servers. "I haven't heard of any issues" that would delay deployment of DNSSEC on .com or .net.

Learn more about this topic

DNS remains vulnerable one year after Kaminsky bug

How DNS cache poisoning works

Experts to Feds: Sign the DNS root ASAP

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)