Web's DNS Structure Remains Vulnerable

With millions of Internet domains potentially at risk, only a fraction are DNSSEC-secured.

In the summer of 2008, the Internet was rocked by the revelation that the Domain Name System (DNS), one of the core infrastructures of the Internet, was vulnerable to attack.

The ultimate solution to the DNS vulnerability is a technology that has been available since at least 2004, called DNSSEC (DNS Security Extensions) (define).

How many domains are actually DNSSEC-secured today? That's a difficult question to answer, but one that InternetNews.com set out to discover. With tens of millions of domains potentially at risk, only a small percentage to date are actually DNSSEC-secured.

At the top level of the Internet, among what are commonly referred to as the gTLD (generic top level domains) of .com, .net and .org, only the .org gTLD has been signed for DNSSEC security.

VeriSign controls .com and .net while the Public Interest Registry (PIR) controls .org. VeriSign did not respond to InternetNews.com's query about the current status of DNSSEC deployment at press time.

On the other hand, the .org domain space was officially signed for DNSSEC in June of this year. However, having the .org gTLD is just the first step. Since June, individual domains have migrated to the platform for a beta test. While there are millions of .org domains, to date only a small number have been signed.

"PIR has signed approximately 25 .org domains with DNSSEC as part of its beta test phase," Lauren Price, senior product marketing manager at PIR told InternetNews.com. "We are manually inserting the DS records into the zone. In addition, we have the contact data for all of the domain owners in our beta test phase. PIR will work closely with each domain holder through every phase of the testing to mitigate risks and capture lessons learned."

Price added that with the phased beta period, the plan is not to sign a large number of domains. The focus is instead on having a reasonably sized set of test domains to provide a quality testing experience.

Network infrastructure vendor Afilias provides the back-end for .org and also has a number of other TLD initiatives underway for DNSSEC.

"We have a DNSSEC test bed running now for the .IN registry (India)," Howard Eland, senior director of resolution services at Afilias, told InternetNews.com. "We also provide secondary DNS for Sweden (.SE), which is a signed zone, as well as secondary DNS for ISC's DLV effort."

Eland declined to provide specific numbers for the .IN and the .SE registries, in terms of how many domains are currently secured today. DLV, the DNSSEC Look-aside Validation technology is another story.


Having the TLD signed is one key element, but it is not the only way to actually have a DNSSEC-enabled and secured domain. DLV provides a mechanism by which domain holders can secure their domain without the need for the root of their domain to actually be signed.

The DLV effort is led by the ISC (Internet Systems Consortium), the same vendor that leads the effort behind the widely-deployed BIND DNS server.

According to Suzanne Woolf, strategic partnerships manager at ISC, there are over 850 zones active on DLV. That number, however, might not represent the full extent of DNSSEC-secured users that ISC enables.

Woolf noted that the question of how many customers and users ISC currently supports for DNSSEC is a rather tough question to answer.

"All of ISC's DNS services are DNSSEC-capable," Woolf told InternetNews.com. "For instance, we have signed isc.org. Customers of the Hosted@ program running their zone within isc.org or within our address space, get DNSSEC whether they know it or not."

The Hosted@ISC effort provides hosting for some of the top open source efforts, including Mozilla, FreeBSD and kernel.org, the official Linux kernel repository.

Additionally, BIND itself has been DNSSEC-complaint as a DNS server since at least 2004 with the BIND 9.3 release. The upcoming BIND 9.7 release will further help to expedite DNSSEC adoption, according to Woolf.

"BIND 9.7 is called the 'DNSSEC Usability release' internally as that is the primary focus of development," Woolf said.

Woolf added that below that DNSSEC can be fairly complicated technology and that tools are need to help make DNSSEC administration easier.

"DNS software and hosting companies will eventually embed signing utilities in their applications or platforms so as to make DNSSEC easy," Woolf said. "BIND 9.7, targeted for release in October or November, is an example of a step in that direction."

While the actual numbers of DNSSEC-secured domains today are still relatively low in comparison to the total volume of domains available, backers of DNSSEC see its adoption as inevitable.

"Anyone that wants to provide assurance for people visiting their Web site, or sending and receiving e-mail, or doing any other form of Internet-based interaction, should move toward using DNSSEC," .org's Price said. "We expect that in the future, DNSSEC will become an integral part of the domain name registration process."

Article courtesy of InternetNews.com.

Tags: open source, Linux, services, Mozilla, e-Mail

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.