It's been a long road for DNSSEC, but experts who are monitoring deployments of the DNS layer authentication technology across public and private top-level domains (TLDs) remain optimistic that it will gain traction later this year.
Domain name server security extensions will help block nasty DNS cache poisoning attacks, which have been targeting banks and individuals in recent years. A cybercriminal can use weaknesses in DNS to redirect domains, sending people to attack websites that serve up malware and drain bank accounts. But in interviews with SearchSecurity.com, experts said the trust gained through DNSSEC technology, which uses encryption keys to verify the identity and origin of domain names, could enable a whole new line of security services and products.
"We want security to work as reliably and invisibly as connectivity does and DNSSEC is the way to do that," said Dan Kaminsky, director of penetration testing services for IO Active. "In perfect world we could have strong security and strong authentication, not just between people in our own group, but between ourselves and people in other groups, and companies and other countries. That level of authentication is not able to be delivered today."
Many experts credit Kaminsky with helping provide the momentum needed to get DNSSEC supported by the organizations that administer the TLDs. A potentially dangerous DNS algorithm weakness that he discovered in 2008, helped raise awareness about DNS weaknesses.
"If we had deployed DNSSEC many, many years ago this wouldn't necessarily had been as much of a problem as it was," Kaminsky said. "We have a comprehensive flaw in Internet security today where as soon as you need to figure out trust across organizational boundaries, everything grounds to a halt."
The fix to Kaminsky's bug increased a 16-bit DNS transaction ID, set in 1983 so the odds of a successful malicious cache poisoning response increased from one out of 65,000 attempts to one out of about 2 billion attempts. Kaminsky calls the fix a Band-aid approach. As network traffic gets faster, it's easier for attackers to beat the odds, he said.
Once DNSSEC is in full use, Kaminsky said users shouldn't notice that digital signatures and encryption are in use in the background. When a website is called up, the DNS server will check for a valid signature and public encryption key to verify the website comes from its valid location.
The technology has had to overcome a lot of hurdles over the last decade. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization overseeing the deployment across the Root DNS zone, has ironed out many of the disagreements over how it will be deployed and how the encryption keys would be administered. Over the next several months, DNSSEC on the root zone is being deployed, with the expectation that it will be fully validated by July. The firms that administer the top-level domains are also actively testing and rolling out DNSSEC. The federal government appears to be on track with the .gov domains and VeriSign reports that it too is testing and upgrading its systems to handle the increased bandwidth that accompanies the technology. It said it was on target to have .com and .net TLDs signed and verified by the first half of 2011.
"Once the root is signed there is potentially that one trust anchor, the root key, which needs to be configured and managed rather than having hundreds and thousands of keys," said DNS expert Scott Rose of the National Institute of Standards and Technology (NIST). "That is all you would need to start the DNS chain of authentication all the way down to the domain name that you were looking for."
Experts say that another sign that the technology is gaining traction is the news that the first large ISP, Comcast Corp., is testing and readying its domain name servers in anticipation of supporting DNSSEC once it is fully deployed across the TLDs. More ISPs should follow once the Root zone is verified.
Experts learn from federal DNSSEC deployments
Rose is overseeing the Security Naming Infrastructure Pilot program, a project that is helping federal agencies test their deployments and correct any technical problems encountered by network administrators. DNSSEC has been a priority for many agencies since the federal government set a January 2009 deadline to have all outward facing DNS zones fully DNSSEC capable. The Federal Information Security Management Act (FISMA) has set a deadline for fully deployed DNSSEC in the federal government by September, Rose said.
So far there have been a number of technical errors and configuration issues, but Rose said that deployments have been fairly smooth. Most technical issues can be solved rapidly, he said. For example, validation failures occur when the network administrator changes the keys but forgets to clear the system caches, Rose said.
Costs associated with deployments are also being reigned in, Rose said. Some older domain servers can't handle the increased bandwidth and encryption algorithms used to resolve domain names and must be replaced. Some firewalls will require configuration changes or software upgrades, Rose said. Other federal agencies are budgeting more for DNSSEC, using the technology deployment as an opportunity to modernize the entire network, he said.
The tools available to address the configuration issues that could occur during a DNSSEC deployment are also getting better, according to Kaminsky. A lot of vendors are developing tools and methods to automate the process, which will later be used in the private sector, Kaminsky said.
"We're seeing a steady push towards automation, ease of use and a reduction of the cost of deployment," Kaminsky said. "There are new products coming out every day that make this much more realistic to deploy for real world large scale networks."
Vendors see opportunity in enterprise upgrades
Although most experts say many companies shouldn't have to endure any costly rip and replace projects, some large enterprises may be dusting off their old domain servers and determining a need for new equipment, said DNS expert Cricket Liu, vice president of architecture at Santa Clara, Calif.-based Infoblox Inc., a DNS appliance vendor. Liu said some organizations will want to gain more visibility into their systems by having a graphical user interface to monitor and manage DNS changes, rather than using a command line interface.
"You don't want to have to demand a super high level of DNSSEC to administer a signed zone," Liu said. "The baseline tools that you get with the most common implementations like BIND and Microsoft DNS server are still command line based."
Many people don't administer name servers from the command line anymore, Liu said, and some large enterprises considering DNSSEC deployments could be overwhelmed by the complexity of the available tools. Administering DNSSEC can also be an issue. Every time a zone changes or if a zone expires, it must be re-signed. Keys to zones have to be replaced periodically for security reasons.
Enterprises that outsource management of their authoritative name servers will likely have an easier time supporting DNSSEC. Larger companies that run their own internal DNS infrastructure – both recursive and authoritative DNS -- may need a team of experts to upgrade systems to support DNSSEC, Liu said. Infoblox is teaming up with Seatlle-based F5 Networks Inc., an appliance vendor that provides load balancing features, to handle network upgrades at large enterprises. Other companies lining up to provide DNSSEC services include Afilias Ltd., Dynamic Network Services Inc., NeuStar, Inc., and Secure64 Software Corp.
Nathan Meyer, product manager at F5, said the benefits in upgrading systems during the deployment will be policy automation and key management. F5, a mid-level enterprise has over 100 different zones making it a fairly daunting task, Meyer said.
"The task of managing each zone individually with individual keys and maintaining all the roll over periods would be a very daunting task," Meyer said.