NTIA explores challenges to widespread deployment of DNSSEC
The Commerce Department's National Telecommunications and
Information Administration, which handles development of U.S.
telecommunications policy, is seeking public comment on the
possible deployment of DNS Security Extensions across the
Internet.
In a notice ofinquiry, the agency asked for comments on challenges to
widespread deployment of DNSSEC. The extensions have been developed
to address vulnerabilities in the Domain Name System, which
associates domain names with IP addresses so that requests for
information can be processed and routed across the Internet.
Because the accuracy, integrity and availability of the
information supplied by DNS are essential to the operation of
services and applications that use the Internet, 'the
department remains committed to preserving the security and
stability of the DNS and is exploring the implementation of DNSSEC
in the DNS hierarchy, including at the authoritative root zone
level,' the announcement states.
Vulnerabilities have been discovered that allow spoofing or
forging of DNS information, which in turn can allow malicious users
to misdirect Internet traffic. Those vulnerabilities can be serious
because DNS is a basic component of most Internet activities.
DNSSEC uses public-key cryptography and a hierarchy of digital
signatures to provide authentication of the source and integrity of
information stored in DNS. It is designed to offer protection
against spoofed data by validating DNS data, ensuring its integrity
and authenticating denials of a domain's existence. However,
the protocols do not provide universal security. They do not
encrypt or ensure confidentiality for the DNS data or protect it
from denial-of-service attacks or other attacks against name
servers.
DNSSEC is an opt-in technology that is designed for deployment
in discrete zones within the DNS infrastructure without requiring
deployment elsewhere. Because of that, implementation has been
spotty. The U.S. government has mandated that agencies begin using
DNSSEC in the .gov top-level domain, and the operators of the .org
generic top-level domain have also announced intentions to use it.
A handful of country top-level domain operators have deployed it,
including Sweden (.se), Puerto Rico (.pr), Bulgaria (.bg) and
Brazil (.br).
Nevertheless, 'to realize the greatest benefits from
DNSSEC, there needs to be an uninterrupted chain of trust from the
zones that choose to deploy DNSSEC back to the root zone,'
the NTIA announcement states.
Ubiquitous deployment of DNSSEC would require action by a broad
range of organizations, including domain name registrars, top-level
domain registry operators, the operators or managers of subdomains
and enterprise networks, Internet service providers, and software
vendors. The actions would include developing special software,
configuring servers to support DNSSEC and directing users'
systems to look for the authenticating signatures.
NTIA is seeking comments on questions associated with general
deployment of DNSSEC, including:
- What alternatives should be considered to combat cache
poisoning and similar attacks before or in conjunction with
consideration of signing the root?
- What are the advantages and/or disadvantages of DNSSEC compared
with other possible security measures?
- What factors impede widespread deployment of DNSSEC?
- What additional steps are required to facilitate broader DNSSEC
deployment and use, including end-user education?
Comments are due by Nov. 24 and can be e-mailed to
DNSSEC@ntia.doc.gov, faxed
to 202-482-1865 or mailed to Fiona Alexander, Associate
Administrator, Office of International Affairs, National
Telecommunications and Information Administration, U.S. Department
of Commerce, 1401 Constitution Avenue, N.W., Room 4701, Washington
DC 20230. Comments will be posted on
NTIA'sWeb site.