DNSSEC will increase security, but could choke networks

The world 13 name-root servers have rolled out security extensions for the domain name service (DNSSEC) to stop man-in-the middle or DNS poisoning attacks.

While this is a good thing, it will not address the problem of attacks through legitimate websites that make up the bulk of the problem, and could choke networks, according to James Lyne, senior technologist at security firm Sophos.

The roll out will trickle down from the root-name servers to top level domain registrars, internet service providers and eventually companies, but at this level it could cause disruptions if networks are not DNSSEC ready.

The problem is that DNSSEC is changing away from the way the internet has worked for over 20 years, so switches, routers and firewalls will have to be reconfigured to deal with things like larger packet sizes, that could otherwise block things up.  

“This could be a horrifying thing because without DNS you can do very little,” says Lyne.

From a business continuity point of view Lyne says administrators should start the task of tracking down all their legacy network equipment now and begin reconfiguring to handle DNSSEC because it will have to be done sooner or later.

It would be better to be prepared for the change when it comes, he says, although this could be some way off and no deadline has been set, because if businesses are unable to get up to speed fast enough, parts of their networks could stop processing DNS in some places and fall over and break.

Not enough is being done to raise awareness of this issue, says Lyne, and is still on the backburners for most organisations.

If you do not want to be caught napping, you have been given the heads up. Start doing something about DNSSEC before it is too late. Another reason it is a good idea, is that it will be a useful tester for the transition to IPv6.