DNSSEC not a panacea for cybercrime, but a step in the right direction

The global roll-out in mid-July of technology aimed at making the internet safer was billed as a decisive blow against cyber criminals, but has it made a difference?

The global roll-out in mid-July of technology aimed at making the internet safer was billed as a decisive blow against cyber criminals, but has it made a difference?

Not really, according to security firms monitoring malware and infections of legitimate websites.

The problem is that the security extensions for the domain name service (DNSSEC) now enabled across the world's 13 root-name servers, tackle a small subset of threats.

DNSSEC protects very well against forged DNS data using public cryptographic keys and will block man-in-the-middle attacks by verifying that internet users are connected to a legitimate site and not a fake set up to steal personal information.

Although this solves a serious problem, the vast majority of malware attacks are via legitimate websites that have been compromised, against which DNSSEC is powerless, says James Lyne, senior technologist at security firm Sophos.

"Legitimate web pages are still being compromised at the rate of one every two seconds, and over 80% of those tend to be legitimate web pages," he says.

Most malware infections continue because the problem is more at the application and content level, rather than the fundamental infrastructure of the internet.

"For this reason, the roll out of DNSSEC to the world's root-name servers has not changed things significantly," says Lyne.

To be effective, DNSSEC needs to be implemented down the whole DNS chain, from the root-name servers to internet service providers, says Kevin Hogan, senior director at Symantec Security Response.

A lot more work has to be done and many more milestones still need to be achieved before DNSSEC can make a real difference, he says.


The next important link in the chain is the registrars who control the top-level domains. A few of these top level domains, including .uk and .org, are already using DNSSEC, but many more have yet to follow.

The next link in the chain is the internet service providers (ISPs), which are expected to make most of the necessary changes in 2011, but no definite timeline has been set, and discussion in the industry is ongoing.

For most home users, the transition will be a relatively simple affair because the ISPs will do most of the work for them and the operating systems will deal with this transparently, says Lyne.

"But it gets really nasty when you get into enterprises, with all their legacy networking equipment, because this is a fundamental change in the protocol. It is changing away from the way the internet has worked for over 20 years," he says.

Legacy systems

Modern operating system such as Windows 7 or XP SP3 support DNSSEC, so most enterprises will not have a problem here, but many are using routers and network infrastructure legacy platforms that are designed to work with protocols that are over 20 years old.

DNSSEC fundamentally changes what that protocol looks like in our networks, so legacy switches, routers and firewalls configured for the old model could choke on larger DNSSEC data packets and end up blocking them, says Lyne.

"This could be a horrifying thing, because without DNS you can do very little, and finding those incompatible devices in enterprises can be quite a challenge because they can be all over the place - such as under the floorboards or bricked into walls - and often no one knows how they are connected," he says.

For many enterprises, finding those legacy devices proactively will be difficult, says Lyne, and it is likely to be a case of identifying them as they break.

Business continuity

Despite the difficulties and the lack of any deadline for switching to DNSSEC, Lyne says enterprises should consider making the move from a business continuity, as well as a security, point of view.

"DNS is such a core service, especially to e-mail, and I would take a more proactive stance, particularly as timeframes are announced, to ensure my networks do not stop processing DNS in certain parts and fall over and break," he says.

Not enough is being done to raise awareness of this issue, says Lyne, and although that may change as the timeframes become clearer for the global cascade of the protocol, it is still on the backburner for most organisations.

Over and above protocol compatibility issues, there are also political issues to be overcome, says Lyne, such as who gets to assign, own and validate DNSSEC certificates.

There may also be problems with countries that like to modify content, such as China.

"China is going to have many users accessing CNN.com, but they are going to get revised versions, and DNSSEC is going to be going wild, saying they are not talking to CNN, so there is a challenge of content control that will have to be rationalised," says Lyne.

"We are really only at the beginning of the cascade down the chain and I am sure many more issues will appear along the way. It is not going to be trivial."

Internet Protocol version 6

But, perhaps most importantly, the roll-out of DNSSEC lays a foundation for global deployment of Internet Protocol version 6 (IPv6), which includes security elements that could dramatically improve the security of the internet, says Lyne.

"DNSSEC is a useful enhancement, it is something people should support, and it is good precedence for much-needed change on the internet, so we can get on to some of the bigger issues like IPv6, which are increasingly pressing," he says.

The main driving force for the redesign of Internet Protocol is the imminent exhaustion of available IPv4 addresses.

This problem will be solved by IPv6, as specified by the Internet Engineering Task Force (IETF) and described in internet standard document RFC 2460 published in December 1998.

Unlike IPv4, IPv6 supports the ability to encrypt traffic point-to-point opportunistically, which means all data traffic on a network could be encrypted irrespective of the application being used.

"For someone accessing Salesforce.com using a public Wi-Fi connection, IPv6 could provide encryption and tamper resistance at the IP level, not only giving the basic confidence that DNSSEC gives that they are talking to the right host, but also ensuring the privacy of that information," says Lyne.

The ability to have traffic encrypted and prevent password sniffing would fundamentally improve the security of the fabric of networks across the globe.

"This is an often-missed extreme plus for IPv6, which is not just about name exhaustion. It is fundamentally a more secure protocol, and we are finally seeing moves to deployment after talking about it for years," says Lyne.

The roll-out of DNSSEC could ultimately be extremely positive, he says, because DNSSEC is like IPv6 in microcosm.

Lyne believes DNSSEC will be an interesting tester for the transition to IPv6, because even though it is a simpler enhancement, it is as significant a protocol change.

Read more on Networking hardware