It could be 'make or break' time for DNS security

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Despite groundwork to prepare the Internet's infrastructure for the DNS Security Extensions, adoption of DNSSEC has been disappointingly slow.

The statistics on the growing adoption of digital signatures to authenticate information from the Internet’s Domain Name System — the DNS Security Extensions (DNSSEC) – can be misleading.

“When you look at it in terms of percentage growth, it looks impressive,” said Cricket Liu, vice president of architecture at Infoblox, a network control company. The company’s sixth annual DNS survey released late last year showed a 340 percent increase in the number of digitally signed zones over 2009. “But the actual numbers are so small it amounts to no more than a rounding error.”

Only a few hundred zones — the names used in Internet URLs and e-mail addresses — have been signed, about .02 percent compared with .005 percent in 2009. Validation of the digital signatures on nearly a quarter of those zones failed due to expired signatures.

This is not to say that progress is not being made in laying the groundwork for DNSSEC. “A lot of important earth-moving is going on,” Liu said.

Related stories:

Internet security quietly reaches a milestone

DNSSEC poised to transform Internet

The Internet’s root zone was digitally signed in 2010, along with a growing number of Top Level Domains. The Internet’s largest TLD, .com, is expected to be signed this year. The growth of signed TLDs will remove many of the roadblocks to establishing the full chains of trust needed to make DNSSEC effective.

“For me, 2011 is make or break for DNSSEC,” Liu said. “The groundwork is done. Now it is incumbent upon administrators of zones to start signing them.”

Linking islands of trust

DNSSEC is important because the Internet’s Domain Name System, which associates written domains used by people with the numerical IP addresses used by computers to direct Internet traffic, is vulnerable to a variety of attacks that could block or redirect that traffic. DNSSEC was designed to protect the system with digital signatures that assure that responses to DNS queries have not been spoofed or otherwise tampered with.

Records in DNS name servers are digitally signed using public key cryptography. When a record is requested by a security aware application, the response will contain a Resource Record Signature and the DNS Public Key that can be used to authenticate the signature. A DNS resolver can use these to validate the signature and authenticate the response.

Adequate authentication can require a trusted chain of public keys, which starts by verifying the signature from a sub domain where the local record was signed, then being referred to the key for the parent domain or zone, and up eventually to the authoritative root zone. Until all of the links in this chain have been completed by the use of DNSSEC signatures and keys at all levels of all domains, users will be limited to assurances only from within the “islands of trust” formed by the completed sections of the chain.

Dot-gov security

So far, those islands where DNSSEC is being are small. One of them is the .gov Top Level Domain. The Office of Management and Budget in 2008 directed that the domain be signed by January 2009, a move that OMB called “a critical procedure necessary for broad deployment of DNSSEC.” But it was only a first step. Agencies were to have DNSSEC operational on their sub domains, such as gsa.gov, by the end of 2009. As of September 2010, little more than a third had been signed.

Part of the problem is complexity. For 20 years or more, the Domain Name System has worked without a lot of attention. Implementing digital signatures and managing the cryptographic keys securely so that DNS is not broken is a challenge, although there are a growing number of commercial products to help automate the process.

Another problem is money. During an economic downturn, money for complex security programs is scarce. Administrators are making do with what they have, and it traditionally is tough to get money for security programs because it is difficult to show a return on investment.

In the face of these challenges, the federal government, with 38 percent of its domains signed, 
still is ahead of the private sector in deploying of DNSSEC.

“In the government space there are mandates that cover this,” Liu said. “That’s a somewhat different climate” from the private sector. “I would imagine that over the next year you’ll see mandates across industry, too.”

A number of cybersecurity bills that failed to make it through the last Congress would have given the Homeland Security Department some authority for security of critical infrastructure in the private sector. If a bill with teeth in it is passed this year, DHS could require DNSSEC signing of public facing zones in this infrastructure.

But mandates would not necessarily come directly from government regulation. The Payment Card Industry’s Security Standards Council is considering including DNSSEC in its requirements for organizations that hold or process credit card information. Lawsuits from victims of fraud or identity theft could establish liability for enterprises that do not ensure the security of their transactions, and DNSSEC could become an audit requirement.

“There are a lot of potential levers” for making DNSSEC adoption an issue in 2011, Liu said.


 

NEXT STORY: NIST revises specs for automating security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.