DNSSEC

Introduction

Domain Name System Security Extensions (DNSSEC) is an enhanced level of Internet security that allows authentication to be added to domain name records to ensure they are correct and not tampered with. This prevents hackers from falsifying DNS records in an attempt to re-direct people to fake, phishing or criminal sites.

How Does DNSSEC Work?

DNSSEC helps protect the Internet by digitally ‘signing’ data in DNS records to assure validity. In order for DNSSEC to scale, each step in the lookup needs to be secured, from the root zone all the way down to the to the final domain name that is managed by the registrant (i.e. www.google.com While DNSSEC does not encrypt data, it does attest to the validity of the domains that consumers visit. DNSSEC does not change any existing Internet addressing system protocols. It merely incorporates a chain of digital signatures into the DNS hierarchy with a signature-generating key at each level.

How Will This Secure the Internet for Users?

DNSSEC will ensure that end users are actually connected to the sites they visit and the services associated with them. While this will not solve all Internet security issues, it protects the directory lookup, which is a critical piece. This level of protection complements other technologies such as Secure Sockets Layer (SSL) that lets client/server applications further validate the end site and additionally communicate without eavesdropping, and it opens the door for further developments in Internet security.

Why isn’t DNSSEC used everywhere already?

Education, speed, cost, and complexity have affected the rate of DNSSEC adoption.. The large gap in domain security was only made understandable recently by Internet security researchers who publicized just how important a vulnerability there is and what it means for the Internet. Second, the complexity used with cryptography involved allows for more misconfigurations that with a non-secured domain. Third, when signing DNS records, the resultant output requires more bandwidth, because DNSSEC records are quite large compared to other DNS records. Fourth, for infrastructure providers, such as the top-level registries and large ISPs, DNSSEC deployment is a huge undertaking with the demand for DNSSEC deployment is not high enough to justify the cost. Fifth, ISPs need to make recursive resolve needs to be updated and configured to understand DNSSEC. And finally, end-user applications need to be made available to understand what domains are secured. This six issues has lead to slow deployment of a core Internet service.

Comments are closed.