Security Experts:

Risk vs. Reward of Implementing DNSSEC and What Enterprises Should Do Today

When Should You Implement DNSSEC in Your Organization?

Part 3 of a 3 Part Series on Understanding DNSSEC

 Part 1 - The Implementation Challenges for DNSSEC - Wide-spread DNSSEC adoption is still far from completion, even for critical domains and services. So what are some of the major the pitfalls of DNSSEC and how can they be avoided?

Part 2 - Application Layers - The DNSSEC Chicken and Egg Challenge - There are obvious security benefits to adopting DNSSEC, but there are some severe downsides to being too early in the adoption curve. Should your organization implement DNSSEC yet?

As we begin the New Year and look back on key developments over the past year, it’s hard to ignore a major event in the IT security space – the arrival of Domain Name Security Extensions or DNSSEC. But while DNSSEC has grabbed big headlines (many in SecurityWeek alone), it’s a good idea for enterprises to take a step back and say, “Is it the time TODAY to implement DNSSEC?” The answer, as usual, is “it depends” but for many, it is “not yet.”

DNSSEC will help protect the Domain Name System (DNS, which is the address book of the Internet) from DNS exploits like cache poisoning. These attacks can allow malicious entities to intercept an Internet users’ request to access a website, send e-mail, or transact with a domain, and redirect or eavesdrop on the user without their knowledge. And with no ability to reassert control, organizations run the risk of losing millions of dollars in lost reputation, stolen transactions, recovery costs and more. DNSSEC introduces digital signatures into the DNS infrastructure and is designed to automatically ensure that users are not hijacked en route and taken to an unintended destination.

So the question is, do you implement DNSSEC now, or wait? Unfortunately the answer is not that simple. The reality for most organizations is that you need to get your enterprise ready for DNSSEC today, but wait to enable it until key infrastructure vendors are fully functional with DNSSEC, and the rest of the industry is prepared. In this final entry in my three-part series on DNSSEC deployment, I will focus on the risk vs. reward surrounding implementing DNSSEC, both today and in the future, including a look at what steps an enterprise should take.

Who DNSSEC Is For?

DNSSEC is not for everyone. Since implementing DNSSEC is a potentially costly, time and resource-consuming endeavor, only those enterprises that stand to lose the most from a cache poisoning attack should be looking to DNSSEC today. That means any organization that collects login credentials, financial information, classified data, intellectual property or privacy data. Typical industries that cyber criminals are looking to spoof include financials, e-commerce, Internet infrastructure providers and social networking. Another major target is sites with high amounts of web traffic, as defined by Alexa rankings for top sites on the Web. These sites present great opportunities to divert large amounts of traffic for activities like drive-by exploits (a malicious website that will attempt to automatically install malware or spyware on a user’s computer, once he or she visits the site) or advertising fraud. Bottom line, if you don’t have a large amount of online users or process Internet cash transactions, chances are cyber criminals are not looking to target your organization for cache-poisoning attacks. At least not now…

DNSSEC Risky for Enterprises Today

Infrastructure vendors at all ends of the DNS spectrum and application vendors are ultimately the ones that need to adopt and support DNSSEC for it to be readily usable by all. Enterprises are largely at the mercy of the Internet ecosystem when it comes to how DNSSEC will ultimately work and benefit them. While this is certainly true of “standard” DNS today, as we explored in the first two parts of this series, DNSSEC adds a vast amount of complexity and lack of transparency for errors that make it far harder for organizations to spot and fix issues as they arise.

DNSSECIf organizations run DNSSEC today, they face the very real risk of having their Internet presence appearing broken to many users – driving away potential customers and causing multi-million dollar transactions to stall. As I discussed in the second article in my series on DNSSEC deployment - as Internet Service Providers (ISPs) and other infrastructure players begin to adopt, support and implement DNSSEC resolution verification in its current form, there will be many opportunities for Internet communication breakdowns. This risk is exacerbated by the lack of application providers implementing DNSSEC, making it difficult to inform end-users of particular DNSSEC failure issues gracefully. The end result will be mysteriously missed connections and unhappy customers.

For example, Comcast, who has been a leading adopter of DNSSEC in the ISP space, has started rolling out DNSSEC validation for a large subset of its user base. As they do, something very different will happen at the DNS resolver given current application software versions that are DNSSEC unaware: a DNSSEC failure will be communicated through the network and presented by the ISP’s recursive DNS servers as a general DNS failure to the end user. In other words, the DNS will not resolve, and to the end-user or process, it will seem as though the domain is down or did not exist at all. The online connection simply will not be made.

How will inevitable failures without notification affect the end user trying to access, say, the website of a retailer or bank? They will behave in exactly the same way as if the entire site was down:

1. “The site is down, so maybe I’ll try again later.”

2. “The site is down, so I’ll call their tech support line and let them know.”

3. “The site is down, so this organization must be incompetent and I’ll take my business elsewhere.”

This Internet communication breakdown is obviously a major risk to enterprises and alienates customers. But as application providers, ISPs and resolvers begin supporting DNSSEC, enterprises should be prepared to hit the “go button” and deploy DNSSEC.

There are few if any rewards for an enterprise to actually run DNSSEC live on the Internet today, especially since most ISPs aren’t validating yet, and most applications aren’t yet DNSSEC savvy. One important reason for some, though, is to build on a reputation as an Internet visionary. However, unless this is a key factor for you, instead of suffering through the pains associated with DNS thought-leadership (and the risks), most enterprises should prepare for the day when DNSSEC is actually widely supported both within ISPs and by Internet-aware application providers. Which brings me to the next point…

Prepare for Tomorrow, Today

Despite the obvious risks outlined above, the future may hold some big rewards for those organizations investing in DNSSEC today. That’s because when the major Internet application providers, ISPs, DNS resolvers and enterprises are on board, DNSSEC will be a crucial way to protect an enterprise from cyber criminals looking to harm consumers or enterprises. While cache-poisonings are still relatively rare, they are occurring, and there is no other real protection against them. One can only anticipate that the risk will grow, and there will be little defense for a non DNSSEC-adopting organization that has a major customer-impacting event after the technology is deployed widely.

Since the vendor selection process implementation for DNSSEC can take 6 months to a year or more, it could be well over a year and a half until a major enterprise that starts the process today is ready to run DNSSEC. By then, the hope is that enough of the infrastructure is set up to make running DNSSEC a safe proposition.

Working through the problems now, getting important processes like key management and DNS entry inventory maintenance in place, and experimenting internally are crucial in any complex technology upgrade. That is just how DNSSEC should be treated as well – an investment in complex technology that will be a major component of the organization’s Internet infrastructure.

Don’t Attempt this on Your Own

Today, there are a number of registries, DNS providers, and other Internet specialists that can set up DNSSEC for enterprises. Instead of implementing DNSSEC internally at an enterprise, the best bet is to turn to these specialists. That even applies to organizations running their own DNS infrastructure – they’ll want to bring in the experts to make sure it all works properly. All of a large enterprise’s domains, extended enterprise partners it talks to, and more, have intricate configurations that need to be analyzed. It is almost certain that most enterprises will need help identifying partners, communicating about their implementation, and establishing and maintaining notification procedures – even if they are experienced pros. As we’ve seen in the prior installments of this series, with DNSSEC, there are a lot of brand-new moving parts added to the DNS manager’s bailiwick that are completely new technology and responsibility areas.

DNSSEC With Domains

Another step that can be taken today for the good of tomorrow is encouraging major trade organizations to support industry-wide efforts for DNSSEC implementation at the enterprise, application and ISP levels. Some of these trade organizations include, but are not exclusive to, the National Credit Union Association (NCUA), BITS (a division of the Financial Services Roundtable), Financial Services Information Sharing and Analysis Center (FS-ISAC), and Merchant Risk Council (MRC). Furthermore, e-commerce and online financial enterprises stand to most greatly benefit from the security protections of DNSSEC – and conversely, stand to be most directly harmed by haphazard implementation. And as such, it is precisely these organizations that should be heavily pushing for application support with the major software companies. Fortunately, it’s also these large enterprise organizations that have the outsized pull necessary to get software vendors moving quickly.

Minimizing the Risk Today

What can be done today to minimize the risks of DNS cache poisoning attacks? A heavy dose of attack monitoring is the best approach until DNSSEC is fully deployed. That means watching for DNS and traffic anomalies on systems, and checking for end-to-end integrity of DNS entries with major ISPs and enterprise partners. The key is making sure there is a response ready to roll immediately if and when an anomaly is detected. Another consideration is the scope of DNS entries you want to protect – just your own primary domain(s), or also your key partners and services you are directly connected to, send sensitive information to, or engage in automated Internet-based transactions with.

The Bottom Line

Although the risk of running DNSSEC today at an enterprise will a) likely lead to at least some Internet communications breakdowns and b) do little to stop DNS cache poisoning attacks (since the likelihood of the ISP or partner verifying it is low), getting READY to actually run DNSSEC is a risk definitely worth undertaking especially for large enterprises. The process can be time-consuming and requires significant planning, so get started soon. As an enterprise weighs the risks-rewards to implementing DNSSEC, it’s not as simple as “let’s deploy” or “let’s not.” It’s a question of whether you want to get ready for the future today or play catch-up tomorrow. Finally, it’s important to put effort into lobbying ISPs and software developers to enable end-to-end authentication to end users to help DNSSEC technology fulfill its promise.

Related Reading: Trouble Ahead - The Implementation Challenges for DNSSEC

Related Reading: Deploying DNSSEC - Four Ways to Prepare Your Enterprise for DNSSEC

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Related Reading: The Missing Ingredients for DNSSEC Success

Related Reading: Do Recent BGP Anomalies Shed a Light on What's to Come?

Rod Rasmussen co-founded Internet Identity and serves as its lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system. Rasmussen is co-chair of the Anti-Phishing Working Group’s Internet Policy Committee and serves as the APWG’s Industry Liaison, representing and speaking on behalf of the organization at events around the world and works closely with ICANN. He also is a member of the Online Trust Alliance’s (OTA) Steering Committee and an active member of the Digital PhishNet and is an active participant in the Messaging Anti-Abuse Working Group. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor’s degrees, in Economics and Computer Science, from the University of Rochester.