On 1 July this year, a signed (DNSSEC-enabled) root zone was published by the 13 root name servers. DNSSEC prevents hackers from redirecting traffic from legitimate websites to fraudulent ones, increasing Internet security for all. Anand Buddhdev, DNS Services Manager at the RIPE NCC, the not-for-profit organisation that supports the infrastructure of the Internet and operates the K-root name server, explains why DNSSEC is a crucial development that helps make the Internet safer for users.
The Domain Name System, or DNS, was created in 1984 to translate website addresses such as www.computerweekly.com into IP addresses that are understood by computers. It acts as a global, name-to-address mapping service and although it is not visible to most Internet users, DNS is an essential component for the functionality of the Internet.
Despite its importance, DNS was created without security features, potentially exposing Internet users to attacks. These attacks exploit a key weakness in the DNS system, which allows hackers to inject false data in DNS responses and direct users' web connections to other websites. This means that when users type in the name of a legitimate website, they are taken to a fraudulent one instead, which puts them at risk of phishing and other scams.
To prevent hackers from continuing to attack DNS, the Domain Name Server Security Extensions (DNSSEC) protocol was developed. This added security layer allows Internet users to type a website address and be assured that the website that is being displayed is coming from an authorised server. To achieve this, DNSSEC uses digital signatures that assure name servers that the DNS data they receive has not been intercepted or tampered with.
Why is it important to sign the root?
While DNSSEC does not resolve more 'visible' hacker attacks such as trojans and worms, it does provide an added layer of security for cache poisoning attacks. Cache poisoning is especially dangerous when hackers target well-known and trusted websites, where users may be inclined to enter personal details and passwords. Last year, for example, a successful attack against an ISP in Brazil redirected its customers to a fake clone of a prominent Brazilian bank portal that attempted to steal passwords and install malware. Alarmingly, attacks of this sort are becoming increasingly common.
Not only does this type of attack affect the individual user, but because DNS lookups do not happen for every request due to information being cached, a single attack could potentially affect a number of end-users.
This is why in order for DNSSEC to work, it requires a trust anchor. It is necessary to have a point in the DNS hierarchy that a DNS server explicitly trusts and from which a chain of trust can be established. Without this origin of trust, DNSSEC users would need to identify several trust anchors and continuously monitor them. For DNSSEC to be fully deployed, a complete chain of trust needs to be established. This begins with name servers serving the root zone, followed by the top level domains, all the way down to individual domains.
The role of ICANN on DNSSEC
The Internet Corporation for Assigned Names and Numbers (ICANN) is leading the initiative to build this chain of trust. To put an end to the risks posed by DNS attacks, ICANN is working together with the Internet community, including domain name registries, registrars and all root name servers, which are critical for the global infrastructure of the Internet.
In July, the world's 13 root name servers, including the K-root, operated by the RIPE NCC, deployed a signed root zone. The signing of the root zone is administered by VeriSign, which also operates the A and J-root servers. Root name servers are the first step in translating, or resolving, human readable host names into IP addresses that are used in communication between Internet hosts.
With the root zone signed, top level domains are now moving to deploy DNSSEC. In October five country code top-level domains for countries in Latin America and the Caribbean were signed to enable use of DNSSEC.
The key action for businesses is to be prepared for DNSSEC. If the rest of your chain of trust has deployed DNSSEC before you're ready, it could cause problems for your network.
As with all IT implementations, early planning means a smoother and more cost effective implementation. It's time to start doing something about DNSSEC before it is too late.
This was first published in October 2010