It will take some time, but the Domain Name Service (DNS) is on its way to be secured around the world with DNSSEC (DNS Security Extensions). A new industry consortium called the DNSSEC Industry Coalition has been formed to expedite the implementation of DNSSEC and in so doing will help to secure the Internet itself for over a billion users.
DNS (define) is critical to the functioning of the Internet, linking IP addresses with domain names. Thanks to security researcher Dan Kaminsky, awareness around the DNS and its shortcomings have been greatly elevated this year. DNSSEC is a key solution to ensuring that the DNS cache poisoning attack that Kaminksy first warned about cannot occur.
“Collaboration of this kind is how DNSSEC was developed in the first place, and it’s how BIND’s DNSSEC feature development was sponsored,” Paul Vixie, a leading authority on DNS and the founder of Internet Systems Consortium (ISC) told InternetNews.com. “Now it’s the thing I suspect a lot of IT managers are waiting for so that they can relax a little bit and see DNSSEC as non-controversial, worthy of investment.”
DNSSEC provides a form of signed verification for DNS information, which is intended to assure DNS authenticity. Vixie’s BIND DNS server has had DNSSEC capabilities since 2004, though global deployment of DNSSEC has been in the single digits due to a number of implementation related challenges.
The new coalition will aim to identify and overcome the challenges and make DNSSEC deployment a global reality. One of the key players in the new DNSSEC coalition is VeriSign, the vendor that controls the Internet’s root domain servers for the .com and .net domains.
“We firmly believe that DNSSEC is a technology that requires implementation and it solves a specific problem that nothing else solves,” Pat Kane, vice president of naming services at VeriSign told InternetNews.com.
The specific problem in Kane’s view is man in the middle cache poisoning attacks like the one discovered by Kaminsky. The basic idea behind the attack is that DNS server responses can be tampered with to redirect end users to different sites, so a user could type in “Google.com” and be taken to a phishing (define) site instead. With encryption signed DNS information from DNSSEC, a domain name would be validated to ensure authenticity.
Though DNSSEC is something VeriSign is supportive of, Kane cautioned that it is not a solution for everything that ails the Internet.
“We also want to make sure that in people’s enthusiastic rush to get DNSSEC implemented, that people understand what it is and the problems that it specifically solves,” Kane said. “It’s doesn’t solve phishing or malware distribution.”