Security wasn’t the first thing on the Internet designers’ minds when they started building the Web. Creating a federated network of computers was hard enough without having to contend with too many security issues, but these deficiencies have come back to haunt the everyday user.
One major problem area was the domain name service (DNS) needed to translate a domain name in a URL to an IP address. DNS is a distributed tree system designed so the service can be hosted near a user to provide fast, cached information to common domains. It was also designed to be able to drill down to any domain name, and there are a lot of them.
Unfortunately, there is minimal security associated with the system. Trust is the default mode of operation, so a rogue DNS server could give out incorrect information and a compromised server could redirect domain name references to a rogue server.
DNS security extensions (DNSSEC) are the response to this unwanted trust party. DNSSEC servers authenticate each other using standard encryption methods. Likewise, the hierarchical digital certificate system is used to track the authentication of domain name resolution because servers need to interact with unsecured DNS servers. This means name resolution needs to indicate not only what the IP address is, but also whether the source has been authenticated.
Developers working with TCP/IP networks, and that’s most of us, need to understand DNSSEC, in addition to utilizing DNSSEC-compliant clients. DNSSEC includes many new concepts and challenges, like the use of key rollover mechanisms for zone signing keys (ZSKs) to keep secure information up to date. DNSSEC is not just a secure link between servers.
All major operating systems support DNSSEC. It is also available for a wide variety of real-time operating systems (RTOSs) and embedded operating systems, as well as third-party TCP/IP stacks that often come with services like DNS.
Initial support may take different forms. For example, a collection of nodes with a gateway may implement DNSSEC in the gateway’s client or DNS server. The local nodes could then take advantage of the gateway and be secure if the DNS server restricts its name resolution to information obtained by authoritative DNSSEC servers.
DNSSEC has been available from the ICANN root servers for just under a year now, and it is finally being deployed by the commercial Internet service providers (ISPs) that provide the bulk of DNS services. The DNSSEC Deployment Initiative site and the DNSSEC site are places to find out more.
A bigger question will be when network hardware, especially consumer products, will include DNSSEC support. Likewise, there is the upgrade issue. Some gateways will have the capacity to support such an upgrade, but others may not. It will also be up to the vendors to supply this new code. This does not bode well for some, given the short lifetime for consumer products and even some industrial projects.
DNSSEC Deployment Initiative