It could be 'make or break' time for DNS security
Despite some progress in government, the number of signed zones is miniscule
The statistics on the growing adoption of digital signatures to authenticate information from the Internet’s Domain Name System — the DNS Security Extensions (DNSSEC) – can be misleading.
“When you look at it in terms of percentage growth, it looks impressive,” said Cricket Liu, vice president of architecture at Infoblox, a network control company. The company’s sixth annual DNS survey released late last year showed a 340 percent increase in the number of digitally signed zones over 2009. “But the actual numbers are so small it amounts to no more than a rounding error.”
Only a few hundred zones — the names used in Internet URLs and e-mail addresses — have been signed, about .02 percent compared with .005 percent in 2009. Validation of the digital signatures on nearly a quarter of those zones failed due to expired signatures.
This is not to say that progress is not being made in laying the groundwork for DNSSEC. “A lot of important earth-moving is going on,” Liu said.
Internet security quietly reaches a milestone
DNSSEC poised to transform Internet
The Internet’s root zone was digitally signed in 2010, along with a growing number of Top Level Domains. The Internet’s largest TLD, .com, is expected to be signed this year. The growth of signed TLDs will remove many of the roadblocks to establishing the full chains of trust needed to make DNSSEC effective.
“For me, 2011 is make or break for DNSSEC,” Liu said. “The groundwork is done. Now it is incumbent upon administrators of zones to start signing them.”
Linking islands of trust
DNSSEC is important because the Internet’s Domain Name System, which associates written domains used by people with the numerical IP addresses used by computers to direct Internet traffic, is vulnerable to a variety of attacks that could block or redirect that traffic. DNSSEC was designed to protect the system with digital signatures that assure that responses to DNS queries have not been spoofed or otherwise tampered with.
Records in DNS name servers are digitally signed using public key cryptography. When a record is requested by a security aware application, the response will contain a Resource Record Signature and the DNS Public Key that can be used to authenticate the signature. A DNS resolver can use these to validate the signature and authenticate the response.
Adequate authentication can require a trusted chain of public keys, which starts by verifying the signature from a sub domain where the local record was signed, then being referred to the key for the parent domain or zone, and up eventually to the authoritative root zone. Until all of the links in this chain have been completed by the use of DNSSEC signatures and keys at all levels of all domains, users will be limited to assurances only from within the “islands of trust” formed by the completed sections of the chain.
So far, those islands where DNSSEC is being are small. One of them is the .gov Top Level Domain. The Office of Management and Budget in 2008 directed that the domain be signed by January 2009, a move that OMB called “a critical procedure necessary for broad deployment of DNSSEC.” But it was only a first step. Agencies were to have DNSSEC operational on their sub domains, such as gsa.gov, by the end of 2009. As of September 2010, little more than a third had been signed.
Part of the problem is complexity. For 20 years or more, the Domain Name System has worked without a lot of attention. Implementing digital signatures and managing the cryptographic keys securely so that DNS is not broken is a challenge, although there are a growing number of commercial products to help automate the process.
Another problem is money. During an economic downturn, money for complex security programs is scarce. Administrators are making do with what they have, and it traditionally is tough to get money for security programs because it is difficult to show a return on investment.
In the face of these challenges, the federal government, with 38 percent of its domains signed,
still is ahead of the private sector in deploying of DNSSEC.
“In the government space there are mandates that cover this,” Liu said. “That’s a somewhat different climate” from the private sector. “I would imagine that over the next year you’ll see mandates across industry, too.”
A number of cybersecurity bills that failed to make it through the last Congress would have given the Homeland Security Department some authority for security of critical infrastructure in the private sector. If a bill with teeth in it is passed this year, DHS could require DNSSEC signing of public facing zones in this infrastructure.
But mandates would not necessarily come directly from government regulation. The Payment Card Industry’s Security Standards Council is considering including DNSSEC in its requirements for organizations that hold or process credit card information. Lawsuits from victims of fraud or identity theft could establish liability for enterprises that do not ensure the security of their transactions, and DNSSEC could become an audit requirement.
“There are a lot of potential levers” for making DNSSEC adoption an issue in 2011, Liu said.