The hard part of DNS security lies beyond the next deadline

After agencies sign address records, key management and securing the Internet's root zone will remain challenges

DNS Security clockWith six months remaining until the deadline for agencies to digitally sign their Domain Name System address records, deployment of DNS Security Extensions remains a work in progress.

“We’ve been working in this space for six or seven years,” developing standards and guidelines for DNSSEC implementation, said Doug Montgomery, manager of the National Institute of Standards and Technology’s Internet and Scalable Systems Metrology Group. “The technology is out there to get it done.”

However, implementing DNSSEC on a large scale remains a challenge — the job doesn’t end with the end-of-the-year deadline, even if agencies do meet it.

“The one complicated part that nobody has a solution for now is key management,” said Branko Miskov, director of product management at BlueCat Networks, a company that does IP address management. “That is the big stumbling block.”

Contributions to the progress of DNSSEC deployment include the signing of the dot-gov generic top-level domain in February, signing of the dot-org zone in June, and efforts by NIST and the National Telecommunications and Information Administration, the Internet Corporation for Assigned Names and Numbers and VeriSign to come up with a practical scheme for deploying DNSSEC in the Internet’s authoritative root zone. NIST also has set up a test bed, the Secure Naming Infrastructure Pilot, to help vendors and agencies test and evaluate products that can help automate DNSSEC deployment and management.

Activity at the top tier of the Internet’s DNS is only part of the first step in deploying DNSSEC. It also must be deployed in the zones for lower tiers, and DNS servers must then use the signatures to validate queries and requests.

DNS translates easy-to-understand names, such as GSA.gov, into the numerical strings that constitute IP addresses. It underlies most activity on the Internet, but it was not designed to provide security. As a result, this basic service is vulnerable to spoofing and manipulation, which could allow hackers to redirect traffic to fraudulent sites.

“The downside is staggering,” said Bruce Van Nice, director of corporate marketing at Nominum. “If DNS is compromised, the Internet is compromised.”

DNSSEC has been developed to address this problem by digitally signing and authenticating DNS queries and responses. The protocols have been in the works for about 15 years, but implementation has been minimal because DNS has worked so well, and nobody wants to fix what has not appeared to be broken.

“The tendency of most network managers is not to mess with it,” Van Nice said.

In late 2006, federal information security requirements called for agencies to use DNSSEC signatures on DNS servers classified as moderate- or high-impact information systems. But because most DNS servers are classified as low-impact systems, there was little implementation in the dot-gov domain. Following disclosure last year of a serious vulnerability in the DNS protocols, the Office of Management and Budget mandated that the dot-gov top-level domain be signed in January and that agencies sign their secondary domains by the end of the year.

The General Services Administration digitally signed the dot-gov top-level domain, effectively implementing DNSSEC throughout the top tier of the federal Internet space, Feb. 28, a month after the original deadline, because GSA officials found during testing that an additional feature was needed in the DNSSEC software. The next step is for agencies to begin deploying DNSSEC within their second-level domains, such as GSA.gov, by the end of the year.

“Most agencies are moving pretty fast on this,” Miskov said. But as to making the year-end deadline for signing their domains, “I think it’s going to be tough” because of the complexity of many of the environments.

Long, winding road

Globally, deployment of DNSSEC is beginning to pick up steam but full implementation remains years away. According to a survey earlier this year of network operators by the European Network and Information Security Agency, 78 percent of operators either have deployed or have plans to deploy DNSSEC services within the next three years. But the survey concluded that DNSSEC still is at the beginning of deployment and that there is a lack of tools and policies.

The difficulty is not in signing the address data within the domains but with managing keys.

“The basic act of signing the authoritative zone is easy,” Montgomery said. “Most people could do it in an afternoon, if they wanted to.”

“That’s the easiest part to tackle,” Miskov agreed. Tools such as the latest version of BlueCat’s Proteus IP address management product automate the process. “All I have to do is generate a couple of keys, mark that zone for publishing, and push.”

But that is only half of the task. Once a zone is signed, servers requesting addresses have to be DNSSEC aware and must have access to a key to verify the digital signatures for the process to work. Implementing and managing key policies — the strength of the keys to be used, the length of time they remain valid, and production of new keys on schedule — can be a complex job. Obtaining keys from a trusted source also can be complex.

Down to the roots

Plans for deploying DNSSEC at the authoritative root zone will help to simplify this challenge by reducing the number of trusted keys needed to verify requests and answers.

“It’s the starting point for DNS on the Internet,” Miskov said. With the Internet’s root zone signed, servers will be able to implicitly trust information underneath in the DNS hierarchy without needing to establish individual trust relationships with each of the top-level domains. Instead of managing 20 keys and replacing them when they expire, one trusted key will suffice.

NIST and NTIA are working with ICANN and VeriSign to achieve that by year’s end. NTIA and the Homeland Security Department are collaborating to evaluate architectural alternatives for signing the root, with the help of industry. Although the effort was formally announced in June, the work has been going on since at least last year, and the deadline is not new, Montgomery said.

“That milepost was out there for a while,” he said.

But the global reach of the Internet is complicating the process. Although the United States originally developed the Internet and Congress and the Commerce Department retain indirect oversight of its management, there is no real single point of control for the infrastructure, and many countries remain suspicious of U.S. intentions, a Commerce official said.

Diplomacy is playing as large a part as technology in DNSSEC deployment in the authoritative root zone, the official said, and the process is moving forward at a glacial pace.

Going automatic

On the technical side, the U.S. government is encouraging the development and testing of interoperable tools to automate the complex parts of deployment. The Secure Naming Infrastructure Pilot (SNIP) is a test bed infrastructure set up by NIST and DHS to let vendors demonstrate tools for implementing DNSSEC.

“People are coming out with clever products to allow you to get this done,” Montgomery said. “There are some quite strong products.”

It also gives network administrators experience with managing a signed DNS zone on a live network. SNIP provides an ongoing, persistent test bed and training infrastructure as opposed to a one-shot workshop or demonstration.

SNIP provides a test domain on which participants can mirror their current DNS operations and learn what effect DNSSEC will have on those operations and on the performance of DNS servers themselves. For a test bed, NIST maintains a SNIP domain, www.dnsops.gov, to provide signed DNS zones for government users.

Contractors that want to participate but that do not qualify for the dot-gov domain can use a separate SNIP domain maintained at www.dnsops.biz. The domains are hosted on the same servers, which have standard IPv4 connectivity and an IPv6-enabled connection to the Internet2 research and education network, so that signed zones can be reached through either version of the Internet protocols.

Implementing DNSSEC in the dot-gov domain is an important step toward securing DNS but not adequate in itself.

“It is a non-trivial exercise to deploy it,” Van Nice said. “As we go forward with the dot-gov deployment, there is a lot to be learned. But that’s only a small part of the Internet.”

The dot-gov top-level domain has about 3,700 domains registered in it. In June, the Public Interest Registry, which manages the dot-org top-level domain, signed the dot-org zone, which is the third largest of the open top-level domains, behind dot-com and dot-net, and contains more than 7.5 million domains registered in it. During a beta test phase that is expected to last into next year, DNSSEC will be analyzed in a test bed with domains registered specifically for testing.

The dot-com domain is not expected to sign its zone until 2011, and widespread use of the security extensions among second-tier domains still is three to five years away, observers say.

“We can’t naively assume that everything is OK while the deployment is going on,” Van Nice said. “Until then, we are going to have to use other protection” to ensure the security of DNS.

Reader Comments

Mon, Jul 13, 2009 Mark Beckett Greenwood Village, Colorado

In this article, Branko Miskov is quoted as saying: “The one complicated part that nobody has a solution for now is key management.” While I agree with Branko that key management is the most complicated part of a DNSSEC deployment, I have to disagree with his quote. My own company, Secure64, has a product that automates key management. By that I mean a product that manages keys throughout their entire lifetime, including key generation, secure key storage, secure backup and recovery, key usage for zone signing and key signing, key rollover and key retirement.

Sun, Jul 12, 2009 Jeffrey A. Williams Frisco Texas

What is not in this article/informationblurb is that privately signed zones may or may not be exceptable. As one that has been working on this for some time and on DNSSEC itself for even longer, this poses a very big reliability and internal to external DNSSEC security problem.

Fri, Jul 10, 2009

www.dnsreviews.com

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above