DNS, the Domain Name System, is one of the major pillars of the Internet. It’s a critical service, and without it we would all have to use IP addresses instead of handy domain names like “Pingdom.com” when we want to visit websites, send emails, and so on.
However, DNS has a huge flaw. Because DNS lacks security features it has been relatively easy for hackers to trick DNS servers with false information. By tricking DNS servers, hackers have been able to hijack entire websites. Needless to say, attacks such as these are a security nightmare and can be used for a large variety of malicious purposes such as site defacement, phishing, malware installations, and more.
For example, last December (on the 17th) visitors to Twitter.com were redirected to a completely unrelated website for over an hour. All because of compromised DNS servers.
In a step to counter these kinds of threats, a set of security extensions called DNSSEC have been developed. However, actually deploying these security extensions and making them part of the Internet’s DNS infrastructure has proven a long and arduous process with many delays. DNSSEC adoption today is in all practicality pretty much non-existent.
Now finally something big is about to happen.
DNS security, the story so far
DNSSEC stands for Domain Name System Security Extensions, and just as its name implies, it adds a layer of security on top of the otherwise unsecure DNS. DNSSEC protects the integrity of DNS data and makes sure that it comes from a verified source.
With DNSSEC, site owners like for example Twitter can certify that they are the true originator of the Twitter.com domain and are therefore a credible source, and end users looking up domain names can verify that the result they get back is from a trusted source (e.g. the real Twitter).
One of the main problems so far has been that for DNSSEC to be a practical viability, it needs to be incorporated in the root zone, in the DNS root servers of the Internet. They are the core DNS servers that all other DNS servers depend on, like the roots of a tree or the foundation of a building. This so far hasn’t been the case.
But next week, this important step is finally about to happen. Or rather, it will start to happen,
DNS security extensions in the root zone
Next week we will enter a testing phase where ICANN, the main organizing body of the Internet, and Verisign, the registry of .com and .net, start adding DNSSEC to the various DNS root servers on the Internet.
Since the root servers are so critical the rollout will be incremental and is planned to last well into May, with plenty of testing of the results in the meantime to make sure that there are no problems. After all, breaking the root zone would essentially break the entire Internet.
Fortunately there isn’t any one single point of failure. There are 13 sets of root servers, numbered from A to M. In total there are about 200 root servers, spread all over the world.
Above: Map of root server locations. (From root-servers.org.)
Providing the testing goes well, the security changes to Internet’s DNS root servers will be made permanent on July 1. At this point security in the root zone will be switched on and we will have taken a big step toward a more secure Internet.
This is actually Big News. There will still be a lot of work to be done to get the entire DNS infrastructure to properly support DNSSEC on all levels, and this will take time, but once DNSSEC is included in the root zone, DNSSEC adoption is predicted to get a huge boost.
Then what will happen?
Once DNSSEC is part of the DNS root zone, it will be easy for website owners to secure their own DNS settings (in a similar way to how they can use SSL certificates to make secure web pages, to use an analogy). This will make attacks such as the DNS hijacking of Twitter much more difficult.
Expect a large number of big websites to jump on the DNSSEC bandwagon soon after DNSSEC is in place in the root zone, making their domains secure. When a few big names are on board, the rest will follow (or at least that is the theory!).
This is good news for everyone, site owners and end users alike, and we wish ICANN and Verisign the best of luck with the DNSSEC deployment!
