DNSSEC: A Small Step that took 17 Years (and counting)

DNSSEC stands for “Domain Name System Security” a set of protocols to provide protection to the system that is used to translate Internet Domain Names (like mit.edu) into numeric addresses that can be contacted over the network.

Yesterday (July 28th, 2010) The Internet Corporation for Assigned Names and Numbers (ICANN) put out a news release announcing that the “root” of the Domain Name System (DNS) was now digitally signed.

Traditionally the DNS has not had any security (aka cryptographic) protection. When your computer asks “Please translate MIT.EDU into an address” an attacker can answer instead of the legitimate server and you cannot tell the difference. This means that you can be fooled into visiting a website very different from the one you intended.

The idea behind DNSSEC is to provide protection so this would not be possible (or at least it would not be easy!).

When we first started looking into DNSSEC all those years ago, we were not really seeing attacks against the DNS. However we were concerned that it was only a matter of time before such attacks surfaced. Better to be prepared!

However never did we envision that it would take 17 years to get to the point where it is deployed in the “root” (top of the tree) zone. But it did. And we are not done. Just because the root is signed doesn't help you unless nodes below the root are signed. And then... you need to be running software on your computer that can check these signatures and warn you when a bogus record is returned. This may take more then a few more years to happen.

And then... I wish this would actually mean that we had significantly improved the security of the Internet. But it won't. At least not by merely protecting the mapping of names to numbers. There are other ways that Internet users can be misdirected to visit a malicious website, not to mention compromising a legitimate site to cause it to behave maliciously. Ways that are easier then attacking even today's unprotected domain name system. So DNSSEC replaces the wooden front door with an iron vault door, but the rest of the house is still made of paper!

But all is not for naught. The domain name system can be used to provide other information beyond mapping computer names to their Internet addresses. And this other information can benefit from being able to be delivered in a secure manner. So ultimately time will tell if we spent a lot of time and energy for little gain, or if we started the foundation of an important security service.

Copyright © 2009-2023 Jeffrey I. Schiller