DNS Security Extensions (DNSSEC) has had slow adoption in the enterprise, but experts said the DNSSEC protocol...
is better than the current certificate authority (CA) system, and any hesitance around adopting the technology may be rooted in a misunderstanding of what it aims to do.
The DNSSEC protocols facilitate digital signatures on domain name system (DNS) data in order to authenticate the origin of the data and verify its integrity as it is transmitted across the Internet. The DNS-based Authentication of Named Entities protocol is then used to bind Transport Layer Security (TLS) to DNS by using DNSSEC in order to ensure that the certificate originates from a specific certificate authority.
According to John Levine, industry expert and author of The Internet for Dummies, there are both short- and long-term advantages to DNSSEC.
"The primary advantage is that it keeps bad guys from faking your domain name, so they can pass off their website as yours," Levine said. "The longer range advantage is that you can use the DNS to securely publish new kinds of information -- most notably, TLS certificates -- instead of getting them signed by a third party."
However, there is fear surrounding the protocol because of claims that it would make it easier for governments to spy on data. The theory is that because certificates would be stored in DNS, if governments control important top-level domains (TLDs), they will also control the keys to the TLS encryption used to authenticate those certificates.
Dan York, senior content strategist for the Internet Society in Reston, Va., said the claim that DNSSEC doesn't stop spying is a straw-man fallacy, because that was never the intent of the protocol.
"DNSSEC does one thing and one thing only: It protects the integrity of the information stored in DNS. DNSSEC ensures that the information for a domain name that you get out of DNS is the same information that the operator of that domain name put into DNS," York said. "What it does not do is protect the confidentiality of the communication. It doesn't encrypt the information or anything like that. That is not what it is supposed to do. So, DNSSEC ensures you are connecting to the correct IP addresses, but spying could still happen on the communication between your computer and those IP addresses."
York said even the argument that governments control a large number of domains is not exactly true.
"Country-code top-level domains (ccTLDs), which are all the two-letter domains, such as .ly and .nl, very often are controlled by governments," York said. "In contrast, most of the generic TLDs (gTLDs), such as .com, .org and the new gTLDs -- .bank, .foo, .photos, etc. -- are controlled by various registries, almost all of whom are private companies and most of whom are commercial companies."
While many ccTLDs are controlled by governments, the most popular -- .de and .uk -- are not controlled by the German and British governments, respectively, but by private companies. York said some gTLDs are controlled by governments, so users should always check first if they are that worried, but spying would not be the problem from government control.
"Given that a ccTLD operator controls the domain registry for the ccTLD, they certainly could change the records for your domain to point to a different set of DNS name servers, thereby giving control of your domain to another DNS operator -- which could be their own -- and then change the DNS records to point to another site," York said. "DNSSEC doesn't really matter in here, because ccTLD operators have control over the records in the TLD."
According to Levine, even this would be unlikely because someone would notice something going wrong in the chain of trust.
"Yes, governments intrude all over the place, but given how screwed up the current CA system is, there's no reason to believe that DNSSEC would be any worse," Levine said. "Also, it really would be quite hard to compromise it in ways that nobody would notice because of how hard people look at the DNS and how much redundancy there is."
Levine said that while DNSSEC may not be perfect, it is better than the problems surrounding certificate authorities. But he can understand why adoption of DNSSEC has been slow, including that no major Web browser can accept TLS keys using DNSSEC yet.
"It's very complex, and the tools are still lousy. I have about 300 DNS zones on my server, and although I sign them all locally, signatures are ignored unless the higher level DNS zone links to my key using a DS [delegation signer] record," Levine said. "There are two subflavors of DNSSEC, known as NSEC and NSEC3. If you use NSEC, it's easy for people to enumerate your zone -- i.e., go through and find all of the domain names in it, which is sometimes undesirable." When using NSEC, information about valid domain names is incorporated into DNS replies to requests for nonexistent domains; with NSEC3, that information is obfuscated.
Levine said that even "using passive DNS, people can get pretty close and there's nothing you can do about it. NSEC3 solves the enumeration problem, but at the cost of making DNSSEC even more complicated than it was already, and making some operations that update a DNS zone on the fly much harder."
York also admitted that the DNSSEC protocol did have problems, including added operational requirements, larger DNS packets, a lack of confidentiality and potentially making systems easier to break -- though, York said this last claim could be directed at many security technologies.
"Historically, DNS servers have often been boxes that network administrators set up and then generally ignored, as they've just been off running. Adding DNSSEC requires that some additional care must be given to the DNS servers," York said. "DNSSEC causes DNS packets to be larger due to the signatures. This can have effects on network traffic. One way to mitigate this is to use signatures that have smaller key sizes."
York said there is already work being done by the DPRIVE Working Group of the Internet Engineering Task Force to secure the connection between computer and DNS server to ensure that someone seeking to spy on your traffic would not be able to see DNS queries in the packets sent over the local network.
According to York, solutions to many of the common complaints about DNSSEC are in the works because of the way the protocol was designed.
"The beauty of the DNSSEC protocol was that it was designed from the start to be able to evolve," York said. "As security concerns and security algorithms evolve, so, too, can the protocol evolve."
Find out how DNS attacks shape the tactics for defending DNS.