Alex - Fotolia
Internet Corporation for Assigned Names and Numbers (Icann) believes that all members of the domain name system (DNS) ecosystem must work together to produce better tools and policies to secure the DNS and other critical operations of the internet.
To facilitate these efforts, Icann is planning a series of events for the internet community to address DNS protection, starting with an open session during the Icann64 public meeting from 9-14 March 2019, in Kobe, Japan.
As one of many entities engaged in the decentralised management of the internet, Icann is specifically responsible for coordinating the top-most level of the DNS to ensure its stable and secure operation and universal resolvability.
Icann believes there is an “ongoing and significant risk” to key parts of the DNS infrastructure and has called for full deployment across all unsecured domain names of the DNS security extensions (DNSSEC) designed to overcome the security weaknesses of DNS.
Icann said the call comes in response to reports of increasing malicious activity targeting the DNS infrastructure, including warnings by the UK and US governments and security firms about a series of attacks that allowed suspected Iranian hackers to steal email passwords and other sensitive data from several governments and private companies.
The organisation has also published a list of recommended security precautions for members of the domain name industry, registries, registrars, resellers and related others, to proactively take to protect their systems, their customers’ systems and information reachable via the DNS.
The malicious activity reportedly includes a series of multifaceted attacks using different methodologies. Some of the attacks target the DNS, in which unauthorised changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers.
This particular type of attack targeting the DNS works only when DNSSEC is not in use, said Icann, adding that DNSSEC was developed to protect against such changes by digitally “signing” data to assure its validity.
Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, Icann said unauthorised modification to DNS information can be detected, and users are blocked from being misdirected.
In August 2010, DNSSEC was rolled out for the world’s 13 name-root servers to stop man in the middle or DNS poisoning attacks, but has still not trickled down to all top-level domain registrars, internet service providers and company websites that make up the bulk of the problem.
Icann is calling for full deployment DNSSEC across all domains, and while recognising that DNSSEC will not solve the security problems of the internet, Icann said the technology aims to assure that internet users reach their desired online destination, complementing other technologies, such as transport layer security (TLS).