Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

First Step For The Internet’s next 25 years: Adding Security to the DNS

As you may have heard, this year the Internet celebrates the 25th anniversary of the world’s first .com and .org domain name registrations.

As you may have heard, this year the Internet celebrates the 25th anniversary of the world’s first .com and .org domain name registrations. The registrants didn’t know it, but symbolics.com (registered on March 15, 1985) and mitre.org (registered on July 10, 1985) were pioneers.

Close to 200 million domains names have been claimed since that day, but the Internet took time to warm to its newly created domain name system. Only six .com domains were registered in the first year. It wasn’t until the dot-com gold-rush of late 1990s, 13 years after its creation, that the DNS experienced its first major boom.

We’re on the cusp of a similar boom today. For the last 13 years, DNS and security experts under the auspices of the IETF have been working on updates to a specification called DNS Security Extensions, otherwise known as DNSSEC. First proposed in 1993, the DNSSEC standards were published in 2005, rigorously tested, and they are now ready to be adopted by the Internet as a whole.

In 1985, the major problem facing the domain name system was not security but basic functionality. The number of Internet hosts numbered in the low thousands, and not all of them at first understood what to do with the strange new strings, “.com” and “.org”. E-mails bounced or disappeared into the ether. There was no World Wide Web; if there had been, it would not have worked. Months passed before users of the young Internet could begin to trust its new addressing system.

These early teething troubles highlight an important point that is still relevant today: the domain name system is fundamentally based on trust. Something as simple as sending an e-mail or accessing a Web site relies upon a chain of trust and cooperation involving untold individuals at thousands of organizations all over the world.

Whenever you use a Web browser to access your bank account, you need to be able to trust that the Web site you see really does belong to your bank. Even if you are confident in the security of your own computer, you also need to trust your ISP, which will in most cases conduct the DNS query on your behalf.

If your bank lives at example.com, your ISP has to trust the Internet’s root server system – itself built on a trust relationship between 13 globally dispersed organizations – to tell it where to find the authoritative .com registry. It then needs to trust that the registry will provide the correct IP address for example.com. The bank then needs to trust its own DNS provider to hand out the correct address for its Web servers. Any of these answers could be supplied by servers located anywhere in the world.  A compromise at any link in the chain, and the chain itself is untrustworthy.  Worse, you have no way of knowing that the chain has been compromised.

None of this greatly mattered in 1985, when the chief use of the Internet was academic. In many cases an Internet user could simply pick up the phone and ask somebody for their IP address. Today, the Internet has almost 200 million registered domains. A multi-billion dollar industry has been built on the acts of registering, transferring, hosting and managing domain names. Desirable strings, which would have no value whatsoever but for the aforementioned chain of trust, change hands for hundreds of thousands of dollars on an almost daily basis. In 2010, entire national economies rely upon the smooth and trustworthy functioning of the domain name system.

Remarkably, until DNSSEC the Internet had no comprehensive technical means of establishing this trust in an automated way. Each link in the chain has been bound to the next by either legal contract or commercial necessity. ISPs, registries, registrars and others act in the mutual desire to provide accurate addressing information to each other and to end users, but there has been no real way of ensuring that the information is trustworthy.

Advertisement. Scroll to continue reading.

DNSSEC changes all that. With DNSSEC, each answer to a DNS query is digitally signed and can be fully validated against public keys at every link in the chain, up to the published “trust anchor” at the DNS root. Some experts now consider the domain name system has become the world’s largest PKI.

Without DNSSEC, it is now possible for bad actors to intercept the “chain of trust,” in an attempt to capture legitimate traffic and swindle money out of innocent victims. The so-called “Kaminsky bug” of 2008 exposed this critical flaw. Indeed, some believe it was one of the biggest security threats ever to hit the Internet. DNSSEC would have stopped it in its tracks.

The domain name industry is already doing its part to make sure DNSSEC becomes a reality. So far a number of country codes including .SE, .BR, and others have deployed DNSSEC. Generic top-level domains like .gov and .org have also been signed. This June, the Public Interest Registry will begin allowing any .org domain name owner to sign their own zones, helping create the world’s largest secure zone online. Crucially, in July ICANN and the DNS root system operators plan to sign the root zone which will make full end-to-end DNSSEC validation possible. This gives those interested in deploying DNSSEC six months to build up their skills and experience before the .com and .net zones are signed in the first quarter of 2011.

For DNSSEC to make a lasting, global impact it also needs support from enterprises, ISPs and application developers. ISPs such as Comcast are already rolling out live trials of DNSSEC to their consumer base, and others will surely follow. Deploying DNSSEC at the enterprise has its challenges, but there is a clear advantage for early movers: differentiation.  One day, DNSSEC will be ubiquitous, a part of the Internet’s basic plumbing. Those who adopt it early have the opportunity to deploy services that leverage the new security model arriving now on the Internet.

It has taken lots of work and many years for DNSSEC to reach the stage it is today, but the challenge is only just beginning. The tipping point is now. DNSSEC will be a reality, sooner than you think, and in 25 years you will wonder how we ever managed without it.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture