DNSSEC does one thing and one thing only: It protects the integrity of the information stored in DNS. DNSSEC ensures that the information for a domain name that you get out of DNS is the same information that the operator of that domain name put into DNS.
By Educause
"DNSSEC
does one thing and one thing only: It protects the integrity of the information
stored in DNS. DNSSEC ensures that the information for a domain name that you
get out of DNS is the same information that the operator of that domain name
put into DNS.
What it does not do is protect the confidentiality of the
communication. It doesn't encrypt the information or anything like that. That
is not what it is supposed to do. So, DNSSEC ensures you are connecting to the
correct IP addresses, but spying could still happen on the communication
between your computer and those IP addresses."
- Dan York
Senior Content Strategist for the Internet Society in Reston, Virginia
Source: TechTarget Blog / Nov 19, 2015
Internet-connected
devices are identified by IP addresses, though users typically only know web
addresses—people can remember “example.edu,” for instance, more easily than
“192.168.7.13.” The Domain Name System (DNS) uses a distributed network of name
servers to translate text-based web addresses into IP addresses, directing
Internet traffic to proper servers. Though invisible to end users, DNS is a
basic element of how the Internet functions.
DNS was built
without security, however, leaving Internet traffic exposed to forged DNS data,
which, among other things, allows the spoofing of addresses to redirect traffic
to malicious websites. DNS Security Extensions (DNSSEC) adds security
provisions to DNS so that computers can verify that they have been directed to
proper servers. DNSSEC authenticates lookups of DNS data (including the mapping
of website names to IP addresses) for DNSSEC-enabled domains so that outgoing
Internet traffic (including e-mail) is always sent to the correct servers,
without the risk of being misdirected to fraudulent sites.
Who’s doing it?
Who’s doing it?
VeriSign
administers the “root,” which supports all toplevel domains (TLDs) (.com, .net,
.info, and so forth), and is expected to implement DNSSEC for the root (“sign
the root”) in 2010. Once that happens, DNSSEC traffic can be validated at its
highest level—the root. Several nations—including Sweden (.se domain), Brazil
(.br), Bulgaria (.bg), and the Czech Republic (.cz)—have implemented the
technology for their country-code domains, and the Public Interest Registry has
enabled DNSSEC validation for the .org domain. As part of its compliance with
the Federal Information Security Management Act of 2002, which requires
increased security for the nation’s cyber infrastructure, the U.S. federal
government has implemented DNSSEC for the .gov domain. Until the root is
signed, these domains will use a surrogate authority to validate their
DNSSEC-enabled web traffic, but all TLDs will eventually use DNSSEC. EDUCAUSE
is working with VeriSign to implement DNSSEC for the .edu domain, also in 2010,
and this effort is expected to provide guidance about best practices to smooth
the transitions of the much-larger .com and .net domains in 2010 and 2011.
How does it work?
How does it work?
As data packets
travel over the Internet, DNS provides the “maps” that correlate web addresses
with IP addresses and route traffic to proper destinations. Because DNS does
not provide a mechanism to authenticate the data in name servers, forged or corrupt
data in a name server can direct traffic to the wrong server—a weakness that
malicious parties use to their advantage. DNSSEC adds digital signatures that
ensure the accuracy of lookup data, guaranteeing that computers can connect to
legitimate servers.
With DNSSEC, a
series of encryption keys are handed off and authenticated—the second-level
domain (SLD) key (from example.edu) is authenticated by the TLD (.edu), and the
TLD key is authenticated by the root. In this way, when an SLD, its parent TLD,
and the root are all signed, a chain of trust is created. (Holders of SLDs can
implement DNSSEC before their TLD or the root is signed, creating so-called
“islands of trust” that rely on intermediate measures to validate their
encryption keys.) If the encryption keys don’t match, DNSSEC will fail, but
because the system is backwards-compatible, the transaction will simply follow
standard DNS protocols.
The value of the
system will come when the root, the TLDs, and SLDs are signed, allowing DNSSEC
to be used for all Internet traffic. At that point, when DNSSEC fails, users
will not be routed to bogus servers, and they might also be notified that non-matching
DNSSEC keys prevented their transaction from going through.
Why is it
significant?
Hackers continue
to exploit the security weakness of DNS to their advantage. By caching address
information, name servers don’t have to look up the IP address every time a
frequently visited site is accessed, and this speeds up the experience for end
users. If hackers are able to insert a bogus IP address into a cache, however,
all users of that name server will be directed to the wrong site (until the
cache expires and is refreshed). Corrupting the operation of DNS in this way
can lead to many kinds of fraud and other malicious activity. By plugging some
of the largest security holes in the Internet, DNSSEC has the potential to
significantly expand the trustworthiness—and thus the usefulness—of the
Internet as a whole.
Image Attribute: Verisign's DNSSEC Debugger Web Page / Click on the image to test your Domain
What are the
downsides?
Fully
implementing DNSSEC will require an enormous amount of work across every
quarter of the Internet—signing the root and the TLDs is simply the tip of the
iceberg. Participation is voluntary at this time, and the benefit that DNSSEC
ultimately provides will be a reflection of the willingness of domain holders
to do that work—that is, the value of DNSSEC will be in direct proportion to
the number of sites that implement it. Even after the root and the TLDs are
signed, the advantage of DNSSEC will be qualified by uneven rates of adoption.
Adding
encryption keys to Internet lookups introduces complex logistical problems of
managing those keys, such as how to periodically update keys without breaking
the way name servers (and their caches) work, and how to accommodate the differing
keys and protocols of different TLDs. Name server software is still evolving to
support DNSSEC; many organizations will need to update their DNS software, and,
in some cases, hardware upgrades will also be required. In addition, DNSSEC
might degrade the speed of Internet lookups, resulting in a slower experience
for end users. On top of the technical and resource-based challenges are policy
issues that will need to be resolved at an international level. The effort to
implement DNSSEC for the root has renewed a longstanding debate about where
“control of the Internet” resides.
Where is it
going?
Having the root
and TLDs signed will provide some incentive for domain holders to implement
DNSSEC because the chain of trust can be established, but until a critical mass
of domains incorporate the technology, the benefits might not seem to justify
the effort. Administrators of most TLDs are expected to develop resources to
help ease the implementation of DNSSEC for domain holders, but many of the
thorniest technical issues—about not only the transition to but also the
maintenance of DNSSEC in practice— still need to be sorted out. Presumably, as
domains begin implementing DNSSEC in large numbers, momentum will grow and
sustain the transition, but it remains to be seen how long the process might
take or at what point a mandate to implement DNSSEC will be required for full
adoption.
What are the
implications for authentic businesses and institutions?
The risks posed
by DNS and the benefits of implementing DNSSEC have special significance for
authentic businesses and institutions. For example, Colleges and universities are expected to be “good Internet
citizens” and to lead by example in efforts to improve the public good. Because
users tend to trust certain domains, including the .edu domain, more than
others, expectations for the reliability of college and university websites are
high. To the extent that institutions of higher education depend on their
reputations,
DNSSEC is an
avenue to avoid some of the kinds of incidents that can damage any organization's stature. In more tangible terms, any size organization today stores enormous
amounts of sensitive information (including personal and financial information
for students and others, medical information, and research data), and they
maintain valuable online assets to which access must be effectively restricted.
DNS attacks result in stolen passwords, disrupted e-mail (which often is the
channel for official communications), exposure to malware, and other problems.
DNSSEC can be an important part of a broad-based cyber-security strategy.
About The Organization:
EDUCAUSE is a
nonprofit membership association created to support those who lead, manage, and
use information technology to benefit higher education. A comprehensive range
of resources and activities is available to all EDUCAUSE members. The
association’s strategic directions include focus in four areas: Teaching and
Learning; Managing the Enterprise; E-Research and E-Scholarship; and the
Evolving Role of IT and Leadership. For more information, visit educause.edu.
Publication Details:
This work is
licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0
License. http://creativecommons.org/licenses/by-nc-nd/3.0/
by the Original Publisher and is slightly modified by IndraStra Global
Editorial Team as per current trends.