View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
April 6, 2005

ICANN-backed project pushes DNS security

A project to roll out security to the internet's domain name system, backed by ICANN and the US Department of Homeland Security, was launched this week here at ICANN's weeklong meeting in Mar Del Plata, Argentina.

By CBR Staff Writer

Steve Crocker, who is heading up the DNSSec Deployment Initiative with funding from the DHS, told ComputerWire yesterday he expects DNSSec support will be added to the internet’s DNS root server system towards the end of this year.

Fresh from an apparently successful meeting with ICANN staff and root server operators, Crocker said some agreement had been reached. He said: We’re not going to do it piecemeal, we’ve got to do it all together or not at all.

DNSSec is a set of extensions to the age-old DNS standards that is designed to prevent domain names being hijacked by malicious hackers, by adding a cryptographic signature check requirement to each DNS lookup

Lack of DNS authentication could lead to attacks such as corporate espionage, and may not be a theoretical problem, Crocker said. You never know how big a threat it is, he said. I think it’s doable, but we have no information on whether it’s being done.

The DNS is hierarchical. When a browser looks up a web page, for example, it needs the IP address associated with the URL. If it cannot find it at the local DNS server, that server asks the root for a pointer.

The root points to a name server at VeriSign, which the root knows runs .com. VeriSign’s server passes it on to ComputerWire, which it knows runs, and ComputerWire passes the request on to its web server,

Anywhere along that path, you could be given misinformation by a badly configured system, or an intruder, that causes your traffic to be directed to a different site, Crocker said.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

This so-called man in the middle attack could mean a hacker could intercept and read your email, web browser requests, or any other internet traffic that uses domain names to locate servers. The victim would usually be none-the-wiser.

DNSSec is designed to solve this problem by requiring each stage of the DNS lookup to be authenticated using a cryptographic key. A company with a .com address would be authenticated by the .com servers, and the .com servers would be authenticated by the root. The root would be authenticated using a public key.

It’s the decision to publish those public keys and support DNSSec at the root, that appears to have been reached this week at the ICANN meeting, where all the big players from the DNS space are gathered for a five-day tetes-a-tetes.

But that’s not even half the challenge. Crocker said that the top-level domain operators, such as VeriSign, also need to start supporting DNSSec, as do makers of applications such as browsers, operating systems and email software.

The operators of the Swedish and Dutch TLD registries, .se and .nl, will almost certainly be the first to support the protocols, Crocker said. These are relatively small domains, where the cost and complexity of rolling out DNSSec will be relatively modest.

VeriSign, on the other hand, is said to manage over 80% of the world’s domains, and would have a lot more work. Pat Kane, head of .com/.net data at VeriSign, said that adding DNSSec support would triple the size of its registry zone files.

Kane said that he expects the cost to the VeriSign registry of rolling out DNSSec across the whole of the .com and .net domains would be $5m in the first year. At the same time, there’s no real business model associated with the technology, yet.

Registries and registrars have to balance market demand with technical needs. There’s no proof today there’s a market demand for DNSSec, he said during a public meeting on the subject here in Argentina. Where is the revenue?

VeriSign does appear to be committed to DNSSec, however. The specs have been under development with VeriSign’s assistance, for 12 years, and VeriSign has been running pilot and test-bed projects for over four years.

There may be a market for DNSSec as a value-added service. Many companies could be happy to pay an extra fee each year for a domain to protect their sites against man-in-the-middle attacks. But the threat is little known.

We don’t have a reference event, said VeriSign’s Kane, alluding to the 1989 Exxon Valdez disaster, and how it reformed the way oil spills were treated. Without a CNN headline talking about DNS insecurity, there’s no demand yet.

That’s a good thing and a bad thing, he said. It’s good because we don’t have that event, it’s bad because we don’t have the motivation across the entire community.

The DNSSec Deployment Initiative is being managed by Crocker’s company, Shinkuro Inc, with funding from the DHS. DNSSec deployment is one of the few hard technical goals outlined in the US government’s National Strategy to Secure Cyberspace.

Crocker is also head of ICANN’s Security and Stability Advisory Committee. ICANN is tasked with ensuring the stability of the DNS. Crocker said: This is bigger than ICANN, but ICANN has a strong, vital, pivotal role.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.