DNSSEC poised to transform Internet

Black Hat panel says deployment will be wide enough in six months to support new services

LAS VEGAS—The signing this month of the Internet's Domain Name System root zone with digital signatures was the culmination of two years of intense effort to encourage deployment of the DNS Security Extensions. The effort will begin to bear fruit in the next 12 to 18 months, a panel of security experts said Wednesday at the Black Hat Briefings.

“Is the Intenet safe? No,” said Rod Beckstrom, president and chief executive officer of the Internet Corporation for Assigned Names and Numbers. “But this means it can become much safer.”

DNSSEC is a set of security protocols for digitally signing information in the Domain Name System, adding an essential layer of security to online activities.

Wthin six months, half of the domains under the top-level domains that have been signed with DNSSEC will be digitally signed, and best practices for deploying and managing the protocols will be established, the panel predicted. At that point, new applications and services will begin to proliferate, they said.

So far, 10 of 270 top-level domains, including .gov, have been signed. But a lot of work remains to make DNSSEC universal.

“We are at the first wave of the DNSSEC deployment,” said Dan Kaminsky, chief scientist for Recursion Ventures. Kaminsky two years ago publicly disclosed an easily exploited vulnerability at the Black Hat Briefings that helped to spur interest in DNSSEC. He is also one of the seven people ICANN chose to trust to restore the Internet in the event of a major attack.

Tools and services for deploying and managing DNSSEC are now available and improving, he said. But the consensus of the panel was that tools still have to get better.

"Make it dead simple,” said Mark Weatherford, president and CEO of the North American Electric Reliability Corp.

Kaminsky said he would be releasing at Black Hat "a lot of code," including end-to-end client-to-server software for DNSSEC.

Ken Silva, chief technology officer of VeriSign, which helps to operate the Internet's root zone servers, advised organizations implementing DNSSEC not to overdo it, but to advance cautiously. “If DNS doesn't work, the Internet doesn't work,” he said.

But organizations should begin planning now in order to take advantage of the benefits that will come from having an inherently secure messaging system in the DNS. “Once you get a working mechanism, people prod it to do things that weren't expected before,” said Whitfield Diffy, cryptography pioneer and vice president of information assurance for ICANN.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected