While the vulnerabilities in the DNS are well known, the absence of widespread attacks, regulations, and proven business models are holding back DNSsec adoption, speakers here at the ICANN annual meeting in Vancouver said yesterday.
Speaking during a workshop on the technology, Keith Schwalm of Good Harbor Consulting, a former US Secret Service agent, said that even the financial sector, traditional security early-adopters, are not rushing DNSsec.
What’s important to them is they make this transition logically, and they are going to be very slow and methodical about it, he said. They have expressed an understanding that it’s important to their business, but it’s not at the top of their list.
Regulations such at the latest FFIEC rules that mandate two-factor authentication in US online banking services by the end of 2006 will form the focus of the financial services sector’s security efforts over the next 12 months, he said.
DNSsec is designed to add a layer of cryptographic signing to DNS records, so that when there is an attempt to resolve a domain name to an IP address, the user can have a higher degree of confidence that they are receiving the correct answer.
It was yesterday demonstrated to be possible to use cache poisoning to conduct a man-in-the-middle attack that sends the user to the wrong IP address, where data can be phished.
It’s possible that a web surfer could think they are visiting their bank or an auction site and hand over their sensitive data, and it would be impossible to tell they were at a malicious site.
Content from our partners
But there are few, if any, well-documented widespread attacks such as this, and even those in the domain industry are unsure that DNSsec deployment should be an urgent priority.
We’re still somewhat skeptical about DNSsec, but we want to be open-minded, we want to learn more, said Paul Diaz of Network Solutions Inc, one of the largest domain name registrars.
The domain name industry is discussing what drivers for DNSsec adoption will be, and so far there is little agreement. Will it be regulation-driven? Consumer-driven? Or driven by online businesses eager to give customers an extra layer of security.
Several speakers here at the Internet Corp for Assigned Names and Numbers meeting suggested that adoption could be driven by e-commerce sites or developers of popular software.
If Google or MSN or Yahoo said ‘We’re going to give number one ranking to anyone who’s got DNSsec’, the registrars would be in there like a shot, said Bruce Tonkin, of Melbourne IT Pty Ltd, an Australian registrar.
I can envisage browsers that are enabled with capabilities that would only display domain links that are secured, said Rick Wesson of Alice’s Registry, which has already rolled out a DNSsec test. It enables classes of content and classes of service that are delineated by security zones.
In the absence of those kinds of drivers, registrars are still pondering whether to start offering DNSsec signing as a value-added service when people register domain names, but they’re not sure there is either understanding or demand.
I don’t think the market will understand the precise benefits here, and I don’t think the market needs to. We see plenty of examples where the perception of additional security is enough, said Stuart Schechter of MIT.
Ram Mohan, chief technology officer of Afilias Ltd, said: Give it a name, call it the ‘anti-pharming system’ then you have the attention of the business folks.
Schechter pointed to the web server SSL certificate market as an example, where prices are often wildly different for essentially the same technology: A large part of market is willing to pay an additional $900 just for the VeriSign branding.
The registrar market also deals with razor-thin margins most of the time, so registrars are keen to figure out whether they will actually be able to see return-on-investment when they roll out DNSsec.
Adding cryptographic keys to DNS obviously adds costs to the infrastructure — cryptographic functions can be CPU-intensive, and there are additional storage, bandwidth and memory requirements for handling the keys.
Some registrars talk of adding a significant add-on fee for DNSsec expert services, while others talk of making domain registration a case of picking from two services — a domain name and a secure domain name, the latter costing more.
Others in the space talk not about the financial return from implementing the technology, but from the potential loss that could arise from not implementing it.
The answer is not return on investment, but return on risk, Afilias’s Mohan said. How much risk are you willing to take, how much risk do you want to mitigate, that is the metric that ought to apply.
Afilias is operator of .org, one of the first top-level internet domains to implement DNSsec. The company’s test-bed has been running for a month and has a handful of domains actively experimenting with the technology.
