Intelligent Machines

DNS Security Protocol Gains Momentum

Secure Internet-address-lookup technology readied for .net and .com domains.

Technologists advocating better security for the domain name system (DNS) have frequently predicted that the technology would be deployed in the next two to five years. That these predictions have gone on for a decade and a half has become an inside joke in the industry.

The advocates may finally have their day. On Monday, the company that manages the .com and .net registries, VeriSign, will announce its strategy to incrementally test and deploy DNS Security (DNSSEC) by the first quarter of 2011 for the two top-level domains. The Internet Corporation for Assigned Names and Numbers (ICANN)–the organization that coordinates among owners of Internet infrastructure–has already announced that it will kick-start the process by creating the top-level key for verifying domain names on December 1.

The two fundamental steps give DNSSEC a much-needed boost, says Joe Waldron, director of product management for VeriSign.

“I think we are at an inflection point,” he says. “Between now and 12 to 18 months from now, you will see a significant amount of adoption across registries, registrars, Internet service providers, and domain-name holders.”

The domain-name system is a foundation on which the Internet is built. DNS servers translate easy-to-understand domain names, such as technologyreview.com, into the numerical Internet addresses used by computers and networking devices to communicate with one another. DNSSEC adds data to the domain records, inserting cryptographic information that can be used to verify that an address is a valid destination for a domain.

Yet, because DNSSEC requires changes to the servers and software that manages fundamental components of the Internet, companies and organizations have resisted adopting it.

“There was a lot of concern, for example, in the late 1990s about cache-poisoning attacks,” said Dan Kaminsky, director of penetration testing for IOActive, a Seattle-based security services firm. “A lot of people said we had to do something about it, but we didn’t do anything.”

In addition, the management of the cryptographic keys needed to validate entries in the domain-name system is complicated. Every domain’s key has to be validated, or signed, by another key higher up the chain of trust. Dot-com domains will be validated by the key VeriSign is deploying. This will in turn be validated by the DNS key-signing key. ICANN, with the U.S. Department of Commerce and VeriSign, will manage the master key.

Kaminsky has likely added some impetus to the movement toward DNSSEC. In 2008, a serious bug found by the researcher spurred the industry to work together to deploy a work-around to enhance DNS security. The vulnerability allowed an attacker to spoof DNS entries so that a person surfing the Internet would believe, for example, that they were going to their bank, but in reality were giving their username and password to data thieves. The industry banded together to deploy patches; however, they were a stopgap measure, not a real solution.

While other methods of securing the domain-name system have been proposed, none have had the attention and testing that DNSSEC has had. Kaminsky believed in the necessity of DNSSEC. In 2009, he became an evangelist, talking to anyone who would listen in an attempt to speed the adoption of DNSSEC.

Kaminsky ” made people realize that there are a lot of flaws in DNS that they didn’t think about before,” says Keith Mitchell, director of engineering for the Internet Systems Consortium, a nonprofit that develops the most popular DNS software, known as the Berkeley Internet Name Daemon, or BIND. “And DNSSEC is pretty much the only game in town to solve these issues.”

With the creation of the key-signing key on December 1, ICANN will establish the foundation of the DNSSEC infrastructure. The maintainers of top-level domains will be able to sign other domains for which they are responsible. The creation of the master key simplifies the management of secure DNS servers and establishes the beginning of a hierarchy of trust.

“This is a critical piece of the puzzle that has been missing for some time now,” Mitchell says. “Up to now, there has been no trust banker at the root, which has been a problem.”

VeriSign is not the first to deploy DNSSEC in a top-level domain. Sweden implemented the security technology, signing the “.se” zone key in 2005. Earlier this year, the Public Interest Registry signed the zone key for .org.

VeriSign plans to take the deployment of DNSSEC slow, starting with small pilot projects, helping registrars and ISPs test their implementations, and rapidly moving to more ambitious implementations, the company says. The key, however, is not to break any applications on the Internet, says Waldron.

“We want to make sure that registrars do what they have to do to make the service available to their customers,” he says. “Almost every component of Internet infrastructure is impacted by the deployment of DNSSEC. So you don’t want to rush this out. Minimizing any incidents is a priority.”

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.