Frizbits’ Bits

February 24, 2009

DNSSEC slowly becoming a reality (Updated)

Filed under: Uncategorized — frizbit @ 9:48 am

Although its not the full featured implementation we would all like, DNSSEC seems to be more than just something on the drawing board now.

DNS is one of the more fragile pieces underpinning the internet.  Translating names to IP addresses seems pretty trivial.  Its just a big phone book right?  Well imagine the fraud that would ensue if people could change entries in the phone book.  Anywhere.  For anyone.  More than that even, that number you always used to dial to pay your cable bill?  One day you dial the same number and as always someone happily takes your payment details but was it really the cable company?  I could go on and on with examples but lets just say that security on the internet should get a big boost from this.

To greatly simplify, DNSSEC allows us to cryptographically sign DNS records.  Someone retrieving this record can then verify that yes this record is valid (cryptographically, not necessarily accurate).  The idea is the DNS root would be signed (by the Dept of Commerce which controls ICANN right now) and the security could flow down from there.  The reality is that politics is slowing down the process.  ICANN has a temporary workaround in place that will allow top level domains (countries, etc.) to sign their namespace and have a central area to exchange these cryptographic keys.  The key exchange is a simple list right now.  This isn’t the robust solution we need to scale to cover the entire internet but its a start.  The article below points out that there is a concern that with this in place the better more permanent solution may be delayed.

There is some meat here for those of us with actual domains to manage.  VeriSign hasn’t announced their plans for .net and .com yet.  But again a workaround solution is available in Trust Anchor Repositories.  This, similar to above, gives lower level domains the ability to sign their records and publish the public keys for everyone to validate.  Again, not a permanent scalable solution but better than nothing and a step in the right direction.

Of course all this has one catch.  Just like SPF records intended to validate the source of email, publishing them does nothing until our clients and servers are prepared and configured to check for the information and then act on it.

Full article from Network World here.

Update:  VeriSign has released a statement saying they will support DNSSEC but that .com will likely be the last to get it due to its size.  They expect to have it in 24 months.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: