Will 2012 be the dawn of DNSSEC?
Cybersecurity experts are urging IT departments to invest in DNSSEC before a high-profile attack occurs
By Carolyn Duffy Marsan | Network World US | Published: 15:33, 19 January 2012
Will 2012 be the year when retailers, banks and content providers finally bolster their DNS systems with an add-on security measure that prevents website spoofing? That's what advocates of the security measure - dubbed DNSSEC for Domain Name System Security Extensions - are hoping will occur.
Cybersecurity experts are urging IT departments to invest in DNSSEC now - before a high-profile attack occurs that could have been prevented by readily available DNSSEC-compliant appliances, software and services.
Already, the new year has brought one major DNSSEC announcement: Comcast said last week that it was the first ISP in North America to provide resolution services for DNSSEC queries.
At issue is whether the Comcast announcement will spark action by rival ISPs, website operators, enterprises and software developers to invest in readily available solutions to a gaping problem in the DNS.
"We're at the early stages of DNSSEC deployment," admits Matt Larson, vice president of DNS Research at Verisign, which operates the .com, .net and .gov domains that all support this emerging security standard. "DNSSEC is not on anybody's radar screen yet. There has not been a security event that people have seen that has spurred on adoption."
"We believe DNS security will become more important in the coming year," says Richard Jimmerson, director of the Internet Society's new online resource Deploy360 that provides practical information about deploying DNSSEC. "If you're serving up information on the web, you want to make sure that your customer, client or visitor is getting what you intended. We see more examples of fraudulent commerce and hijacking of content. This is becoming much more of a problem."
What is DNSSEC?
DNSSEC solves what's called the Kaminsky vulnerability, a fundamental flaw in the DNS that was disclosed in 2008. This flaw makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.
DNSSEC prevents cache poisoning attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
DNSSEC works best when it is fully deployed across the internet: from the root zone at the top of the DNS heirarchy, to individual top-level domains such as .com and .net, down to individual domain names. Until that happens, websites remain vulnerable to Kaminsky-style attacks.
Also needed for DNSSEC adoption are ISP and enterprise networks that can resolve DNSSEC queries as well as browsers and other web applications that inform users when validation fails.
Much of the DNS infrastructure is now ready to support DNSSEC queries, but ISPs and enterprises have been slow to adopt it.
The internet's root zone was signed in mid-2010, which was the first step towards end-to-end DNSSEC deployment. Several key domains - including .gov, .org, .edu and .net - began cryptographically signing domains in 2010.
Most significantly for U.S. businesses, Verisign began signing .com in March of 2011. The .com domain is the most popular domain in the Internet, representing about 45% of the Internet's 220 million registered domain names.
But only a few e-commerce companies have upgraded their Web sites to support this security standard. One DNSSEC pioneer is PayPal, which announced in December that it is signing all of its domains.
Verisign estimates that there are only 5,500 signed .com names and 2,000 signed .net names out of a total pool of 112 million registered .com and .net names. That means only .006% of all .com and net names have adopted DNSSEC as of January 2012.
Another key component for widespread DNSSEC deployment is adoption by domain name registrars. For example, GoDaddy said last March that it could support DNSSEC for the 51 million domain names that it manages.
"As of January 1, 2012, there were 41 ICANN-accredited registrars that had enabled DNSSEC for at least one of the .com or .net domains they are responsible for,'' Larson said, adding that Verisign offers free signing services to its registrars to encourage them to adopt DNSSEC.
All of this means that the necessary internet infrastructure pieces are in place for most US companies to adopt DNSSEC - but they haven't deployed it yet.
"Very few people are in a position where they have a domain that they want to sign and can't," Larson admitted.
Larson added that US businesses also are slow at adopting DNSSEC on their recursive DNS servers, which process DNS lookups for their employees.
"ISPs and enterprises are not validating DNSSEC queries," Larson said. "There's a lack of awareness that we are seeing among ISPs and enterprises that run their own DNS recursive servers. People don't perceive a pressing need."
Comcast leads DNSSEC charge
One company that's bucking the trend is Comcast, which said last week that it is providing DNSSEC resolution services to all of its 20 million residential customers in the United States.
"For a year or two, we've been hearing that it's a chicken-and-egg problem with DNSSEC deployment," says Jason Livingood, vice president of Internet Systems with Comcast. "There wasn't an incentive for companies to sign their domain names without eyeball networks having resolvers. We are offering a certain amount of scale in terms of breaking that chicken-and-egg problem and getting some momentum in DNSSEC."
The Comcast news that it is supporting DNSSEC is "huge," Larson says. "It's very significant because it shows that the biggest ISP in the US can enable DNSSEC and the world didn't end. There's a worry that DNSSEC will bury help desks in issues, but that hasn't happened."
Comcast uses DNS software from Nominum for its DNSSEC services. Comcast said it has been working on its DNSSEC deployment since 2008, when the Kaminsky vulnerability became well known.
Livingood says Comcast's DNSSEC upgrade wasn't that expensive but required engineering time for software upgrades and testing. He says Comcast deployed DNSSEC at the same time as it was upgrading its DNS infrastructure to support IPv6, the next-generation of the Internet Protocol.
"We significantly upgraded the entire DNS infrastructure over the past two years - hardware, software and network connectivity - both to handle DNSSEC and generally speaking larger packet sizes as well as IPv6," Livingood says. "We deployed very, very carefully because we are such a large and high-volume DNS platform. Even a small increase in query response time could result in our customers feeling like the internet was slow."
The DNSSEC upgrade is transparent to end users, Comcast says. "The customer doesn't need to know about all the technology that goes on behind-the-scenes. They just need to know they are secure," Livingood says.
Vendor announcements related to DNSSEC are on the rise, too:
- BlueCat Networks, a DNS appliance vendor, announced earlier this week that it is advising the UK government on how best to cryptographically sign its 1,000 domain names using DNSSEC.
- Infoblox said on January 10 that it had integrated a hardware module from Thales e-Security, a leader in cryptographic key management, into its DNS appliances to ease DNSSEC deployments.
"DNSSEC is a new market for us" says Richard Moulds, vice president of product management at strategy at Thales. "DNSSEC is a new application for public key encryption. Crypto keys are being introduced into the DNS, and those keys need to be protected and managed, and that's what we do."
Moulds says he's seen rising interest in DNSSEC-related applications for Thales' high-assurance key management products in the last six months, since the .com domain was signed. He says it's possible that DNSSEC will take off dramatically in 2012.
"SSL went from unheard of to the default mechanism for web privacy in about one year flat in the late 1990s," Moulds says. "We could be at the cusp of a similar deployment curve for DNSSEC if it becomes the default mechanism for integrity on the web."
What's next for DNSSEC?
In order for DNSSEC to be more widely adopted, experts say that web browsers need to support the standard, too. This would allow end users to get pop-up messages when they try to visit a website that can't be verified via DNSSEC.
Currently, Firefox offers a DNSSEC plug-in and Google's Chrome 14 offers experimental DNSSEC authentication.
"The next frontier is to integrate DNSSEC into the security indicators of browsers," Livingood says.
One sign that DNSSEC adoption is inevitable for ISPs and enterprises is that the emerging security standard is required for the hundreds of new top-level domains that are being considered by the Internet Corporation for Assigned Names and Numbers (ICANN).
"DNSSEC is the new minimum that's expected for domain name registrars,'' Larson says, adding that Verisign will start cryptographically signing the .cc and .tv domains in 2012.
ISPs and enterprises that choose not to adopt DNSSEC in 2012 will remain vulnerable to Kaminsky-style attacks, cybersecurity experts warn.
"To some extent, this has been an issue of: Why should we sign if no one can validate the signatures?" Livingood says. "Now that almost 20 million households can validate, it starts to change that calculus."