DNSSEC's early adopters provide test beds for others
In anticipation of widespread adoption, .edu and .org offer valuable lessons
Two early adopters of the DNS Security Extensions were the .edu and .org generic top-level domains, which have been using DNSSEC on a limited basis to provide real-world experience with the protocol.
Some of the test beds have been operating for years.
“We deployed DNSSSEC first back in 2006” for a research network, said Shumon Huque of the University of Pennsylvania. It was deployed throughout the university in summer 2009, using homegrown tools for signing and key management.
Can .gov trust .com?
How DNSSEC provides a baseline of Internet security
Louisiana State University signed its first testing zone in 2008 and has been experimenting with various tools and signing algorithms, said LSU’s Anthony Iliopoulos. The .edu test beds were integrated in fall and winter 2009, and the domain expects to begin offering verifiable signed DNS records this summer, after the release of the trust anchor – a cryptographic certificate that validates a chain of trust – by the Internet root zone, whose 13 root servers were signed this winter and spring.
The .edu top-level domain was a good candidate for testing because it is a relatively small domain with one registrar, Educause, with many users in the research and education community. Challenges included the need to strengthen technical understanding of the protocol and document best practices for key management and rollover, said Rodney Petersen, director of Educause’s cybersecurity initiative.
“Implementing DNSSEC adds complexity to management of the Domain Name System,” said Joe Waldron, director of product management at VeriSign, .edu’s registry operator.
Dealing with that complexity requires tools to automate the processes. “There are companies that have been developing the capability for DNSSEC for years,” Waldron said. Standards have been defined, and hardware, software and service offerings are available. “There is still a challenge in education and experience” for users, he said. “But the tools are fairly mature.”
The .org zone was signed with DNSSEC in June 2009, and its operators have provided their insights to government planners, including advice on protocols for minimizing computational overhead; processes for rolling over, distributing and securing cryptographic signing keys; and warning about a possible increase in bandwidth demand when DNSSEC is in use.
The .org domain is the third largest of the generic top-level domains, behind .com and .net, with more than 7.5 million registered domains. The Public Interest Registry implemented DNSSEC in a test environment for 18 live domains.
One concern is the use of NextSECure (NSEC) parameters with DNSSEC, which provide proof that a requested record does not exist. There are two schemes for accomplishing that. The parameters prove nonexistence by responding with listings of the surrounding records. But that technique can let users discover the entire contents of a zone by using NSEC. NSEC3 avoids that by using hashes to affirm that a record does not exist. But that requires a lot of computational overhead, which is feasible for a relatively small domain such as .org. But root zones, in which more than 90 percent of queries are for nonexistent records, could be swamped by the computations.