Securing the DNS – Background information

As the pre-eminent identifier system of the Internet, it is important that the domain name system (DNS) functions effectively, efficiently, and correctly. DNS is used, chiefly, to translate commonly visible domain names (e.g., in website and e-mail addresses) to network addresses. In order to work on the scale of the global Internet, the DNS is necessarily a highly distributed system, with domain name holders arranging for the management of the translation of their domains to network addresses. While this highly distributed nature allows for the information to be updated close to the authoritative source (e.g., the domain name holder), it also means that any given name-to-address translation will require interactions with multiple independent servers outside of your network. For your browser to be able to reach www.google.com, you rely on a number of DNS servers to be configured properly, respond quickly, and to give your device up to date, correct information. You know what service you want to reach at that address, and Google Inc is certainly interested in ensuring you get there.

All of this works today, and has worked for years, because of general adherence to operational best practices for DNS services, and general goodwill of DNS operators to provide fast, efficient and effective DNS services. In general, much has been done to address DNS errors due to misconfiguration or software issues, and today’s overall Domain Name System service is quite robust. However, as the world’s commerce and government activities increasingly rely on the Internet as a critical foundation for their services, it becomes equally important that there is confidence that the network address you receive for a service is, in fact, the one that service wanted you to use. You want to be able to ensure that you have the authentic address for www.someservice.com — the one SomeService Inc intended you to have. It is this specific authentication step that is enabled through the use of „DNS Security“ (DNSSEC) technology.

With DNSSEC, SomeService’s DNS entries (the domain name to address mappings) are cryptographically signed, and SomeService’s public key is published, so that your software can authenticate the result it gets back. If the authentication fails, you know that, through misconfiguration or malfeasance, the answer you got back may be wrong, and should not be trusted.

There is even more value than that in the authentication process. The DNS has largely worked reliably for years, but there are well known issues of Internet abusive activities including spam and phishing. The technologies and services being developed and deployed to detect and reduce the impact of these abusive activities will themselves rely on having reliable (authentic) results from the DNS.

While DNSSEC technology has been in development for over a decade, the Internet is now reaching an important milestone — DNSSEC is no longer an academic pursuit or a hypothetical service. Major gTLDs are adopting it, and there are plans to sign the root of the DNS by the end of 2010. These are required steps in order for individual domains to be able to adopt DNSSEC themselves. DNSSEC, like every other piece of Internet technology, is a building block: its use and ultimate success depend on what services are built with it. But, with these steps underway, Internet and commercial development can explore the possibilities made available within a more robust environment.

Frequently asked questions about DNSSEC

What is DNSSEC, exactly?

DNSSEC is an extension to the DNS specification that permits the cryptographic signing of DNS records, using public key technology. DNSSEC public keys are stored in the DNS, as well. Together, this allows DNS zone maintainers to provide signed DNS results, and DNS resolving software to authenticate the results. This does not prevent other forms of DNS issues — such as denial of service attacks on servers, misconfiguration, hijacking of responses, etc. However, in the latter case, it does allow the client resolver to ascertain whether the result received should be trusted, and act accordingly.

Why do we need DNSSEC? This is a fix – but is it broken?

Prior to the publication of the Kaminsky attack vector, it is fair to say that there was complacency in the Internet world as to the operation of the global DNS. Robust DNS server software is easily available. Support for configuration is available. Services are generally reliable. However, the Kaminsky attack demonstrated that there are real threat vectors for undermining the integrity of the DNS. DNSSEC does not provide a total answer to DNS security — operationally sound services are still required. However, as technologies increasingly rely on accurate and authentic results from DNS, the status quo of security is not sufficient.

But, it’s so complex! How will I ever deploy it?

Like all new Internet technologies, DNSSEC is different and requires different management routines and software for validating results. The impact of DNSSEC will not be felt overnight. However, as adoption increases, more tools and support materials will become available, and DNSSEC should appear no more complex than any other part of standard Internet technology.

What can I do, today?

There are several TLDs that are supporting DNSSEC today, as well as registrars. Check if yours does. If yes, you can sign your own zone(s) today. If not, it’s just a matter of time. If you are an Internet software or services developer, you should be exploring the appropriate support for reviewing results from queries against signed zones, and making use of this new data authentication ability.

So much to do! Is general DNSSEC deployment realistic?

Again, as with any new Internet infrastructure technology change, there are complexities to be worked out — in terms of ensuring appropriate configurations, treatment of results, best practices for operations and software. However, major TLDs and DNS software services are committed to ensuring this security technology is available. As with any deployment: the Internet will take it one step at a time, until we look back and wonder how we ever lived with out it.



Aus Veranstaltungen von ISOC.DE
  • Mehr Sicherheit durch weniger Kryptographie?
    November 2019
    Um den Zusammenhang zwischen Terroristen belauschen und sicherem Onlinebanking geht es noch einmal am Rand des IGF 2019. Dieses mal wollen wir mit Wissenschaftlern, Politikern und anderen interessierten Bürgen das Thema diskutieren.
  • Kryptographie für ein besseres Internet
    April 2019
    Andrew Sullivan, Präsident und CEO der Internet Society (ISOC) erläutert, warum Eingriffe in die Kryptografie das Internet, seine Anwendungen und seine Benutzer gefährden.
  • Bürgerrechte im Netz
    November 2018.
    In zwei Panels ging es um Netzneutralität und Datenschutz.
  • 25 Jahre ISOC.DE
    Dezember 2017, nach der Wahl, noch vor der Regierungsbildung
    Der 25. Geburtstag von ISOC.DE und ISOC.ORG bot den Anlass für eine Veranstaltung in der Parlamentarischen Gesellschaft in Berlin, die sich kritisch mit der Rolle der Politik bei der Internet-Entwicklung auseinandersetzte.
  • Sicherheit zwischen Kryptographie und Überwachung
    2016 währed der IETF96 in Berlin
    Bringt mehr Überwachung mehr Sicherheit? Welche Rolle spielt Kryptographie für die Sicherheit im Netz? Gefährden Backdoors die Sicherheit?
  • Wer Macht das Internet?
    2013 gemeinsam mit dem Bundesministerium für Wirtschaft und Technologie
    Wer "macht" eigentlich tatsächlich das Internet und wem wächst damit welche “Macht” zu? Was ist die Rolle der Politik?
  • Wie das Netz nach Deutschland kam
    2006 gemeinsam mit dem Haus der Geschichte, Bonn
    Wo kommt das Internet in Deutschland her? Was passierte in den 80ern und frühen 90ern? Was waren die Diskussionen und Visionen?

Die Internet Society German Chapter e.V. (ISOC.DE e.V.) ist ein eingetragener Verein, der die Verbreitung des Internets in Deutschland fördert und dessen Entwicklung sowohl in technischer als auch in gesellschaftlicher Hinsicht begleitet.
Folgen Sie uns auf Twitter! Twitter-logo
Abonnieren Sie unseren RSS feed! RSS Logo

Your IP Address is: