Performance hit could be the price of DNS security
As .com comes on board, signed zones likely to take off but performance trade-off looms
- By William Jackson
- Jan 26, 2011
Recent security fixes to the Domain Name System have bought the Internet community time to implement a more permanent solution in the form of the DNS Security Extensions, but the job of putting the protocols into place has only begun, said one industry observer. And when DNS zones are signed securely, there will likely be a trade-off in performance.
A study by Infoblox, which makes network management automation tools, showed a fourfold increase in the number of digitally signed zones from 2009 to 2010, said Vice President of Architecture Cricket Liu. But that still amounted to only 0.022 percent of zones that had been signed with DNSSEC.
Implementing DNSSEC to ensure that IP address information received in response to DNS queries is legitimate is complicated by two factors. First, the system requires a chain of trust for validating digital signatures, which means they will not work unless the protocols are enabled on a substantial portion of the Internet. Fortunately, the root zone at the top of the DNS hierarchy has been signed, and a number of top-level domains immediately under it have also been signed.
“The last big domino to fall is going to be .com, which is scheduled to be signed in March,” Liu said Jan. 25 during a talk in Washington. “This is the year of no excuses because .com is signed this year.”
Internet security quietly reaches a milestone
How DNSSEC provides a baseline of Internet security
But the remaining problem is that DNSSEC complicates what until now has been a transparent address resolution process.
“This doesn’t come without a cost,” Liu said. The process will require new records, a validation procedure and key management. “By signing your zones, they are going to be a lot bigger. You will also see the computational resources needed for validation go up.”
Getting a validated response to a DNS query could require seven times as much traffic as it does now if there is no cached data for a name server to rely on. “That’s the worst-case scenario,” Liu said. “You won’t see that all of the time.” But DNS response times could be slowed by as much as 25 percent overall, and DNSSEC will definitely test firewalls, which might not be configured to accept the larger messages, Liu added.
DNSSEC is an imperative because the Internet’s Domain Name System, which associates the written domains used by people with the numerical IP addresses used by computers to direct Internet traffic, is vulnerable to a variety of attacks that could block or redirect that traffic. DNSSEC was designed to protect the system with digital signatures that ensure that responses to DNS queries have not been spoofed or otherwise tampered with.
For years, DNSSEC has been a solution in search of a problem, Liu said. But recent vulnerabilities and exploits finally made the problem worse than the solution, so there is a wide-scale move to implement the protocols.
In 2008, the Office of Management and Budget directed the government to deploy DNSSEC within the .gov top-level domain in 2009, and agencies were to have DNSSEC operational within their zones by the end of that year. But as of today, only 345 of several thousand federal .gov domains have been signed, according to the dnsops.gov website.
Help in implementing and managing DNSSEC is being provided on a number of fronts. Within government, the National Institute of Standards and Technology has published recommendations in the "Secure DNS Deployment Guide" (Special Publication 800-81 Revision 1). Commercial vendors are also offering a variety of tools to help automate the DNSSEC signing and key management processes.
William Jackson is a Maryland-based freelance writer.