DNSSEC – Implementation Looks Promising

March 11, 2010 – Experts in the DNS industry are very optimistic about the deployment of DNSSEC in the near future.  DNSSEC will be able to prevent security threats such as cache poisoning, which allows a hacker to minipulate DNS information.  As an example, a hacker could redirect bank.com to an IP address of their choosing.  They could then point users to a site that looks just like bank.com and gather users account information.  This is just one example of what can be done with DNS today.  The promising outlook of DNSSEC could prevent these things from happening by using encryption keys to verify the identity and source of a domain name.  This deployment could open up new services surrounding security.

Dan Kaminsky, director of penetration testing services for IO Active Inc., is one of the main contributors in opening up
discussion on DNSSEC.  In 2008, Kaminsky discovered one of the biggest security threats the Internet has ever seen.  He found a serious weakness in the DNS Alogorithms, with which he fixed by increasing a 16-bit DNS transaction ID.  Initially, the odds of a malicious cache poisoning attack happening was about 1 out of 65,000.  Kaminsky has now made this 1 in about 2 billion.  However, this is really only a “band aid” to the problem according to Kaminsky.  The faster web traffic becomes, the easier it will be for hackers to beat the odds.  He believes if DNSSEC had been deployed awhile ago, this wouldn’t have been as big of an issue.  According to Kaminsky, users will not notice when DNSSEC is deployed.  When there is a request for a website, the name server checks for a valid signature and public encryption key to verify its a valid source.

The timeline looks promising even though the technology has had to overcome some bumps in the road.  ICANN has smoothed out many of the arguments over how DNSSEC will be deployed and administered.  Over the next few months, the root zones will have DNSSEC, and will shoot to be fully validated by July.  The registrars that administer the TLD’s are also looking into the testing and deployment of DNSSEC.  Verisign, who currently runs the .com and .net domains, said they were on target to have these signed and verified by mid 2011.  The government seems to be following track with the .gov domains as well.  Experts are also saying that Comcast has begun to test their name servers with expectations of supporting DNSSEC, as soon as its completely deployed across all the TLD’s.  More ISP’s are expected to follow once the root zone is verified.

Recent Reviews

• Marc R on No-IP
• Robert Brennan on DNS Made Easy
• devop on DNSimple
• radock on No-IP
• John M on Dynu Systems
• Narayan on NS1
• Anthony on No-IP
• Norm on Dynu Systems