Security Experts:

First Step For The Internet's next 25 years: Adding Security to the DNS

As you may have heard, this year the Internet celebrates the 25th anniversary of the world's first .com and .org domain name registrations. The registrants didn't know it, but symbolics.com (registered on March 15, 1985) and mitre.org (registered on July 10, 1985) were pioneers.

Close to 200 million domains names have been claimed since that day, but the Internet took time to warm to its newly created domain name system. Only six .com domains were registered in the first year. It wasn't until the dot-com gold-rush of late 1990s, 13 years after its creation, that the DNS experienced its first major boom.

We're on the cusp of a similar boom today. For the last 13 years, DNS and security experts under the auspices of the IETF have been working on updates to a specification called DNS Security Extensions, otherwise known as DNSSEC. First proposed in 1993, the DNSSEC standards were published in 2005, rigorously tested, and they are now ready to be adopted by the Internet as a whole.

In 1985, the major problem facing the domain name system was not security but basic functionality. The number of Internet hosts numbered in the low thousands, and not all of them at first understood what to do with the strange new strings, “.com” and “.org”. E-mails bounced or disappeared into the ether. There was no World Wide Web; if there had been, it would not have worked. Months passed before users of the young Internet could begin to trust its new addressing system.

These early teething troubles highlight an important point that is still relevant today: the domain name system is fundamentally based on trust. Something as simple as sending an e-mail or accessing a Web site relies upon a chain of trust and cooperation involving untold individuals at thousands of organizations all over the world.

Whenever you use a Web browser to access your bank account, you need to be able to trust that the Web site you see really does belong to your bank. Even if you are confident in the security of your own computer, you also need to trust your ISP, which will in most cases conduct the DNS query on your behalf.

If your bank lives at example.com, your ISP has to trust the Internet's root server system – itself built on a trust relationship between 13 globally dispersed organizations – to tell it where to find the authoritative .com registry. It then needs to trust that the registry will provide the correct IP address for example.com. The bank then needs to trust its own DNS provider to hand out the correct address for its Web servers. Any of these answers could be supplied by servers located anywhere in the world.  A compromise at any link in the chain, and the chain itself is untrustworthy.  Worse, you have no way of knowing that the chain has been compromised.

None of this greatly mattered in 1985, when the chief use of the Internet was academic. In many cases an Internet user could simply pick up the phone and ask somebody for their IP address. Today, the Internet has almost 200 million registered domains. A multi-billion dollar industry has been built on the acts of registering, transferring, hosting and managing domain names. Desirable strings, which would have no value whatsoever but for the aforementioned chain of trust, change hands for hundreds of thousands of dollars on an almost daily basis. In 2010, entire national economies rely upon the smooth and trustworthy functioning of the domain name system.

Remarkably, until DNSSEC the Internet had no comprehensive technical means of establishing this trust in an automated way. Each link in the chain has been bound to the next by either legal contract or commercial necessity. ISPs, registries, registrars and others act in the mutual desire to provide accurate addressing information to each other and to end users, but there has been no real way of ensuring that the information is trustworthy.

DNSSEC changes all that. With DNSSEC, each answer to a DNS query is digitally signed and can be fully validated against public keys at every link in the chain, up to the published “trust anchor” at the DNS root. Some experts now consider the domain name system has become the world's largest PKI.

Without DNSSEC, it is now possible for bad actors to intercept the “chain of trust,” in an attempt to capture legitimate traffic and swindle money out of innocent victims. The so-called “Kaminsky bug” of 2008 exposed this critical flaw. Indeed, some believe it was one of the biggest security threats ever to hit the Internet. DNSSEC would have stopped it in its tracks.

The domain name industry is already doing its part to make sure DNSSEC becomes a reality. So far a number of country codes including .SE, .BR, and others have deployed DNSSEC. Generic top-level domains like .gov and .org have also been signed. This June, the Public Interest Registry will begin allowing any .org domain name owner to sign their own zones, helping create the world’s largest secure zone online. Crucially, in July ICANN and the DNS root system operators plan to sign the root zone which will make full end-to-end DNSSEC validation possible. This gives those interested in deploying DNSSEC six months to build up their skills and experience before the .com and .net zones are signed in the first quarter of 2011.

For DNSSEC to make a lasting, global impact it also needs support from enterprises, ISPs and application developers. ISPs such as Comcast are already rolling out live trials of DNSSEC to their consumer base, and others will surely follow. Deploying DNSSEC at the enterprise has its challenges, but there is a clear advantage for early movers: differentiation.  One day, DNSSEC will be ubiquitous, a part of the Internet's basic plumbing. Those who adopt it early have the opportunity to deploy services that leverage the new security model arriving now on the Internet.

It has taken lots of work and many years for DNSSEC to reach the stage it is today, but the challenge is only just beginning. The tipping point is now. DNSSEC will be a reality, sooner than you think, and in 25 years you will wonder how we ever managed without it.

view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.