DNSSEC - Steps Your Organization Should Take to Prepare for DNSSEC Deployment
Broad deployment of DNS Security Extensions, the standard technology for adding cryptographic authentication and integrity to domain name system look-ups, has been a long time coming. But this summer sees a series of events kick off that will eventually lead to DNSSEC becoming as commonplace as plain old DNS. Notably, next month ICANN will publish a validatable key set for the domain name system's root, anchoring the chain of trust on which we all rely for DNS transactions every day. Several country-code domains and the .org zone are already fully DNSSEC compatible, and .com and .net are expected to follow within the next year.
DNSSEC deployment is accelerating, and now is the time for security-conscious organizations to begin to develop their plans for adopting the technology in their own zones. DNSSEC will eventually become ubiquitous, and there are significant advantages for first-mover enterprises, which could be first to offer new products or services that take advantage of a more secure DNS system.
There are challenges too. Rolling out DNSSEC is not entirely painless. Here are four things your organization should do to prepare for DNSSEC deployment.
1. Increase storage and memory capacity for your DNS equipment
Adding DNSSEC to your zone results in four new resource records to be included in the authoritative zone file for each domain you sign. Some of these records, such as the DNS Public Key (DNSKEY), which is used to verify signatures, and Resource Record Signature (RRSIG), which stores the signatures, can handle relatively lengthy cryptographic strings. Hence, in practice, the zone file becomes larger. On average, enterprises should expect their zone files to increase in size by four to six times, depending on how comprehensive the initial roll-out is. If your organization holds a large portfolio of domains and sub-domains, and you intend to sign them all, you should first ensure that your DNS equipment have the memory to store and efficiently serve all the required DNSSEC data in addition to the normal DNS queries you serve today.
2. Increase bandwidth allocations for all services that power your DNS infrastructure
Signed zones will start serving responses to DNSSEC look-ups immediately. At Afilias, we've seen that more than half of all incoming DNS queries already request signed responses, possibly due to the ubiquity of DNS resolution software like BIND that has DNSSEC built-in. Enterprises need to be prepared for an uptick in the bandwidth required to serve their DNS query traffic when their signed zones go into production. The larger zone files do equate to larger responses; all four of the new DNSSEC records need to be served whenever a resolver requests them.
A DNSSEC response is about twice as large, on average, as a regular DNS response, so enterprises should take into consideration how this may affect their overall bandwidth consumption. For early adopters, not all incoming DNS queries will require the larger answers, but as DNSSEC edges towards blanket use, bandwidth requirements will increase accordingly. For now, enterprises should plan to see two to four times the amount of bandwidth normally associated with DNS traffic.
The larger size of DNSSEC responses also means that the answers your zone provides will not always fit happily into the lightweight UDP packets that normal, unsecured DNS traffic uses today. Resolvers using older versions of BIND and other name server software may be configured to limit UDP responses to 512 bytes. When your larger DNSSEC replies are truncated, resolvers may automatically resend the query using TCP, which places a greater load on your bandwidth and server resources. Experiences to date with large-scale production DNSSEC deployments suggest that enterprises should prepare for an increase in TCP traffic of up to 2 percent. The overall increase in bandwidth needed, due to the larger responses and increased TCP traffic, should largely be of concern to organizations that are currently operating close to their contracted limits with their bandwidth or DNS service providers. These companies should plan to negotiate for greater allowances, to avoid the risk of overage fees.
3. Choose a registrar you can use for a long time
DNSSEC support in the domain name registrar market is still in its infancy, and adoption is just starting to take root as some major registrars have announced their commitment to be DNSSEC-ready. Of most concern is that while DNSSEC adoption has been pushed through at the registry-level, there is still work to be done on the inter-registrar transfer process. Transferring your domain from a registrar that supports DNSSEC to one that does not will result in your domains needing to be temporarily "unsigned", losing all the security benefits associated with DNSSEC. In addition, even simple registrar transfers between DNSSEC-capable registrars requires more sensitive handling of your key information to make sure that your keys do not become invalid during the transfer process.
For that reason, there may be a period where a certain amount of technological lock-in is advisable, so it is important when making the decision to sign your zones that your domain portfolio is hosted with a registrar that you are comfortable sticking with for a while. As of this writing, two registrars (NamesBeyond and DynDNS) are known to be DNSSEC ready, while a third registrar (GoDaddy) is in the final stages of being ready.
4. Develop internal best practices for key management and stick to them
DNSSEC is not a fire-and-forget technology. The cryptographic key pairs used to sign and verify data need to be changed periodically to minimize the risk of compromise – the longer the period in which a key is effective, the higher value—and easier-- a target it becomes. It is also sensible practice to roll keys on a regularly scheduled basis in order to keep key generation procedures fresh in the minds of those responsible for DNS security, easing time-to-recovery in the event of an unexpected compromise.
Current best practice recommends replacing Zone Signing Keys on a monthly basis and rolling Key Signing Keys annually. The work-flow for both should be designed and documented with security in mind, along with the procedures for key generation and secure signature generation. Enterprises also need to consider the size of the keys they create, balancing their expected longevity with the resources they will consume.
Although DNSSEC has spent years in development and testing, it is still relatively new, and deploying it is not child's play. It is an important technology that will go a long way to protect the integrity of the domain name system against current and future threats. Preparing now will lead to fewer problems down the line. There are more than 20 top-level domains that are DNSSEC-enabled today. If your enterprise is serious about security, I would encourage you to test your domains in one of the DNSSEC-ready TLDs today before .net and .com are enabled.