FEATURED | DNSSEC is Must for Protecting Your Organization's Cyber Integrity

FEATURED | DNSSEC is Must for Protecting Your Organization's Cyber Integrity

By Educause

"DNSSEC does one thing and one thing only: It protects the integrity of the information stored in DNS. DNSSEC ensures that the information for a domain name that you get out of DNS is the same information that the operator of that domain name put into DNS. 

What it does not do is protect the confidentiality of the communication. It doesn't encrypt the information or anything like that. That is not what it is supposed to do. So, DNSSEC ensures you are connecting to the correct IP addresses, but spying could still happen on the communication between your computer and those IP addresses." 

- Dan York
Senior Content Strategist for the Internet Society in Reston, Virginia
Source: TechTarget Blog / Nov 19, 2015

FEATURED | DNSSEC is Must for Protecting Your Organization's Cyber Integrity

Internet-connected devices are identified by IP addresses, though users typically only know web addresses—people can remember “example.edu,” for instance, more easily than “192.168.7.13.” The Domain Name System (DNS) uses a distributed network of name servers to translate text-based web addresses into IP addresses, directing Internet traffic to proper servers. Though invisible to end users, DNS is a basic element of how the Internet functions.

DNS was built without security, however, leaving Internet traffic exposed to forged DNS data, which, among other things, allows the spoofing of addresses to redirect traffic to malicious websites. DNS Security Extensions (DNSSEC) adds security provisions to DNS so that computers can verify that they have been directed to proper servers. DNSSEC authenticates lookups of DNS data (including the mapping of website names to IP addresses) for DNSSEC-enabled domains so that outgoing Internet traffic (including e-mail) is always sent to the correct servers, without the risk of being misdirected to fraudulent sites.

Who’s doing it?

VeriSign administers the “root,” which supports all toplevel domains (TLDs) (.com, .net, .info, and so forth), and is expected to implement DNSSEC for the root (“sign the root”) in 2010. Once that happens, DNSSEC traffic can be validated at its highest level—the root. Several nations—including Sweden (.se domain), Brazil (.br), Bulgaria (.bg), and the Czech Republic (.cz)—have implemented the technology for their country-code domains, and the Public Interest Registry has enabled DNSSEC validation for the .org domain. As part of its compliance with the Federal Information Security Management Act of 2002, which requires increased security for the nation’s cyber infrastructure, the U.S. federal government has implemented DNSSEC for the .gov domain. Until the root is signed, these domains will use a surrogate authority to validate their DNSSEC-enabled web traffic, but all TLDs will eventually use DNSSEC. EDUCAUSE is working with VeriSign to implement DNSSEC for the .edu domain, also in 2010, and this effort is expected to provide guidance about best practices to smooth the transitions of the much-larger .com and .net domains in 2010 and 2011.

How does it work?

As data packets travel over the Internet, DNS provides the “maps” that correlate web addresses with IP addresses and route traffic to proper destinations. Because DNS does not provide a mechanism to authenticate the data in name servers, forged or corrupt data in a name server can direct traffic to the wrong server—a weakness that malicious parties use to their advantage. DNSSEC adds digital signatures that ensure the accuracy of lookup data, guaranteeing that computers can connect to legitimate servers.

DNSSEC - How does it work?

With DNSSEC, a series of encryption keys are handed off and authenticated—the second-level domain (SLD) key (from example.edu) is authenticated by the TLD (.edu), and the TLD key is authenticated by the root. In this way, when an SLD, its parent TLD, and the root are all signed, a chain of trust is created. (Holders of SLDs can implement DNSSEC before their TLD or the root is signed, creating so-called “islands of trust” that rely on intermediate measures to validate their encryption keys.) If the encryption keys don’t match, DNSSEC will fail, but because the system is backwards-compatible, the transaction will simply follow standard DNS protocols.

The value of the system will come when the root, the TLDs, and SLDs are signed, allowing DNSSEC to be used for all Internet traffic. At that point, when DNSSEC fails, users will not be routed to bogus servers, and they might also be notified that non-matching DNSSEC keys prevented their transaction from going through.

Why is it significant?

Hackers continue to exploit the security weakness of DNS to their advantage. By caching address information, name servers don’t have to look up the IP address every time a frequently visited site is accessed, and this speeds up the experience for end users. If hackers are able to insert a bogus IP address into a cache, however, all users of that name server will be directed to the wrong site (until the cache expires and is refreshed). Corrupting the operation of DNS in this way can lead to many kinds of fraud and other malicious activity. By plugging some of the largest security holes in the Internet, DNSSEC has the potential to significantly expand the trustworthiness—and thus the usefulness—of the Internet as a whole.

Click on the image to test your Domain

Image Attribute: Verisign's DNSSEC Debugger Web Page / Click on the image to test your Domain

What are the downsides?

Fully implementing DNSSEC will require an enormous amount of work across every quarter of the Internet—signing the root and the TLDs is simply the tip of the iceberg. Participation is voluntary at this time, and the benefit that DNSSEC ultimately provides will be a reflection of the willingness of domain holders to do that work—that is, the value of DNSSEC will be in direct proportion to the number of sites that implement it. Even after the root and the TLDs are signed, the advantage of DNSSEC will be qualified by uneven rates of adoption.

Adding encryption keys to Internet lookups introduces complex logistical problems of managing those keys, such as how to periodically update keys without breaking the way name servers (and their caches) work, and how to accommodate the differing keys and protocols of different TLDs. Name server software is still evolving to support DNSSEC; many organizations will need to update their DNS software, and, in some cases, hardware upgrades will also be required. In addition, DNSSEC might degrade the speed of Internet lookups, resulting in a slower experience for end users. On top of the technical and resource-based challenges are policy issues that will need to be resolved at an international level. The effort to implement DNSSEC for the root has renewed a longstanding debate about where “control of the Internet” resides.

Where is it going?

Having the root and TLDs signed will provide some incentive for domain holders to implement DNSSEC because the chain of trust can be established, but until a critical mass of domains incorporate the technology, the benefits might not seem to justify the effort. Administrators of most TLDs are expected to develop resources to help ease the implementation of DNSSEC for domain holders, but many of the thorniest technical issues—about not only the transition to but also the maintenance of DNSSEC in practice— still need to be sorted out. Presumably, as domains begin implementing DNSSEC in large numbers, momentum will grow and sustain the transition, but it remains to be seen how long the process might take or at what point a mandate to implement DNSSEC will be required for full adoption.

What are the implications for authentic businesses and institutions?

The risks posed by DNS and the benefits of implementing DNSSEC have special significance for authentic businesses and institutions. For example, Colleges and universities are expected to be “good Internet citizens” and to lead by example in efforts to improve the public good. Because users tend to trust certain domains, including the .edu domain, more than others, expectations for the reliability of college and university websites are high. To the extent that institutions of higher education depend on their reputations,


DNSSEC is an avenue to avoid some of the kinds of incidents that can damage any organization's stature. In more tangible terms, any size organization today stores enormous amounts of sensitive information (including personal and financial information for students and others, medical information, and research data), and they maintain valuable online assets to which access must be effectively restricted. DNS attacks result in stolen passwords, disrupted e-mail (which often is the channel for official communications), exposure to malware, and other problems. DNSSEC can be an important part of a broad-based cyber-security strategy. 

About The Organization:

EDUCAUSE is a nonprofit membership association created to support those who lead, manage, and use information technology to benefit higher education. A comprehensive range of resources and activities is available to all EDUCAUSE members. The association’s strategic directions include focus in four areas: Teaching and Learning; Managing the Enterprise; E-Research and E-Scholarship; and the Evolving Role of IT and Leadership. For more information, visit educause.edu.

Publication Details:

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License. http://creativecommons.org/licenses/by-nc-nd/3.0/ by the Original Publisher and is slightly modified by IndraStra Global Editorial Team as per current trends. 

AIDN0020120160003/ INDRASTRA / ISSN 2381-3652
    Blogger Comment
    Facebook Comment