DNSSEC poised to transform Internet
Black Hat panel says deployment will be wide enough in six months to support new services
LAS VEGAS—The signing this month of the Internet's Domain Name System root zone with digital signatures was the culmination of two years of intense effort to encourage deployment of the DNS Security Extensions. The effort will begin to bear fruit in the next 12 to 18 months, a panel of security experts said Wednesday at the Black Hat Briefings.
“Is the Intenet safe? No,” said Rod Beckstrom, president and chief executive officer of the Internet Corporation for Assigned Names and Numbers. “But this means it can become much safer.”
DNSSEC is a set of security protocols for digitally signing information in the Domain Name System, adding an essential layer of security to online activities.
Wthin six months, half of the domains under the top-level domains that have been signed with DNSSEC will be digitally signed, and best practices for deploying and managing the protocols will be established, the panel predicted. At that point, new applications and services will begin to proliferate, they said.
So far, 10 of 270 top-level domains, including .gov, have been signed. But a lot of work remains to make DNSSEC universal.
“We are at the first wave of the DNSSEC deployment,” said Dan Kaminsky, chief scientist for Recursion Ventures. Kaminsky two years ago publicly disclosed an easily exploited vulnerability at the Black Hat Briefings that helped to spur interest in DNSSEC. He is also one of the seven people ICANN chose to trust to restore the Internet in the event of a major attack.
Tools and services for deploying and managing DNSSEC are now available and improving, he said. But the consensus of the panel was that tools still have to get better.
"Make it dead simple,” said Mark Weatherford, president and CEO of the North American Electric Reliability Corp.
Kaminsky said he would be releasing at Black Hat "a lot of code," including end-to-end client-to-server software for DNSSEC.
Ken Silva, chief technology officer of VeriSign, which helps to operate the Internet's root zone servers, advised organizations implementing DNSSEC not to overdo it, but to advance cautiously. “If DNS doesn't work, the Internet doesn't work,” he said.
But organizations should begin planning now in order to take advantage of the benefits that will come from having an inherently secure messaging system in the DNS. “Once you get a working mechanism, people prod it to do things that weren't expected before,” said Whitfield Diffy, cryptography pioneer and vice president of information assurance for ICANN.