SAN FRANCISCO -- Security pros considering supporting DNSSEC for their domains understand the authentication improvements associated with the new protocol, but aren't sure their organizations are ready to support the transition.
All of these secure technologies have not been scaling because they haven't been using our most effective technology for scaling.
network security expert
A panel of experts, Tuesday, attempted to alleviate concerns during a panel discussion at RSA Conference 2011. DNSSEC, or DNS Security Extensions, are a set of protocols that introduce PKI into the Domain Name System (DNS). The networking experts behind the protocol change have been making steady progress, digitally signing the top-level DNS root zone last year. Since then government agencies have been slowly rolling out DNSSEC support; the .org and .net domains support the protocol and it will be soon extended to the .com domain.
At least one RSA Conference attendee, based at a major telecommunications firm in Canada, questioned how he could justify the investment in new equipment designed to handle the new protocol. (DNSSEC uses a greater amount of bandwidth and is not supported by some legacy systems.) "It really seems to be very early to justify the expense and the problems of going about it so soon," he said.
Security experts have known about the weaknesses inherent in the current DNS protocol, but the issues were made prominent when network security expert Dan Kaminsky discovered a serious cache poisoning bug in 2008. The vulnerability enabled savvy hackers to redirect requests to malicious websites, potentially exposing people to phishing or SQL injection attacks. A massive coordinated patch release by multiple DNS vendors followed the public disclosure of the discovery, but Kaminsky and others stressed that the patch was only a temporary fix to the problem.
Kaminsky, formerly of IOActive Inc., is focusing on his new start-up, New York-based Recursion Ventures. Recursion plans to roll out security technologies that support the new DNSSEC protocol.
Supporting DNSSEC is a permanent fix to the cache poisoning bug, but more importantly, it could enable future authentication methods, making transactions over the Internet much more secure, he said. Essentially, it provides an additional method of assurance. For example, email currently works because it uses DNS to find the IP address of the mail server. But, it can't currently lean on DNS to find out the key to use for that additional level of authentication, Kaminsky said.
"The larger ROI is linked to many security technologies that just don't work. Smart cards don't scale, secure email does not scale. A lot of this technology does not scale across organizational boundaries," Kamsinsky said. "All of these secure technologies have not been scaling because they haven't been using our most effective technology for scaling. DNSSEC changes that, but you have to have the environment set up to use it and that's what the ROI involves."
Once the .com naming convention is signed and rolled out, enterprises can begin experimenting with DNSSEC roll outs as soon as possible, said Paul Mockapetris, chairman and chief scientist of Nominum Inc., a firm that sells DNS and DHCP servers, and an IP name and address management system. The value will be in the increased security DNSSEC provides, but initially, Mockapetris admitted, some companies may run into installation issues.
"DNSSEC is much more of a security answer than source port randomization is," Mockapetris said. "There are going to be false positives and organizations need to make sure their DNS software is updated."
Rod Beckstrom, CEO of the Internet Corporation for Assigned Names and Numbers (ICANN), which has been overseeing the signing of the major Internet domains, said companies can turn on validation for DNSSEC servers in zones already signed on to the new protocol. Special browser plug-ins make it possible for employees to use the technology, he said.
DNSSEC has been developed for over 15 years and there have been a lot of organizations that have contributed to making it finally pay off, Beckstrom said. Aside from implementation issues, "we're going to have digitally signed responses now," he told RSA conference attendees. That means, once fully supported, the authentication can help better protect documents and records.