Eventually, the system could be a foundation for browser-based blocking or warnings—and for verifying who sent e-mails or authored a document. “DNSSEC will confirm for us the name of the site that I’m dealing with, and that becomes a fact that browsers can take advantage of to help mitigate against certain kinds of phishing attacks,” says James Galvin, director of strategic relationships and technical standards at Afilias, an Internet infrastructure provider. “But that’s a place we have to get to, and we aren’t there.”
Richard Lamb, the architect for DNSSEC deployment at ICANN, the Internet Corporate for Assigned Names and Numbers, says that in the long run, DNSSEC could enhance Internet security enormously. “How (warnings) will get displayed to end users is still in discussion, but in the long term, the end user will be that much more secure—because they won’t be able to get to a site that’s not been validated,” he said. In later iterations of the system, he says, “when you get e-mail from a random person, you could verify not just the address but the actual person, through a cryptographic handshake.”
In the view of some experts, though, Congress will undermine DNSSEC if it passes a bill now under consideration. Under the proposed legislation (pdf), if an Internet service provider receives a court order to block websites peddling stolen media or counterfeit pharmaceuticals, it will be required to redirect a Web user attempting to visit such a site to a takedown notice.
Such redirection is what DNS hackers try to do, and what DNSSEC aims to prevent. “If we end up with legislation on that point, it will be impossible to do end-to-end DNSSEC because it will be illegal in some cases,” says Vixie, who is a co-signer of a report (pdf) blasting the bill.
Even if DNSSEC is fully implemented, it’s no panacea. However, Galvin says, “everything we do on the Internet depends on the DNS, so DNSSEC becomes the foundation for a safer and more secure Internet.”
Meanwhile, users will just have to remember to stop and think before they click. “Technology can take you pretty far, and the technology will improve, and DNSSEC can help,” says Galvin. “But as a practical matter, users do have to take ownership of what happens to them. The best we can hope to achieve is to reduce” their risk.