DNSSEC now deployed in root DNS

July 19, 2010

DNSSEC has been enabled at the root zone, VeriSign says.

DNSSEC applies digital signatures to DNS for added security and authenticity.

The company has been working with others for years on this new technology.

Ken Silva is chief technology officer at the company and explains what DNSSEC is and how they’ve been preparing for it.

KS: DNS is the directory service of the Internet, if you will. That’s what converts the the name that you type to an IP address, which is actually how the packets find one another.

By digitally signing the answers to those, we’re ensuring the answers to those, we’re ensuring that they haven’t been forged or corrupted in any way on the way to the intended recipient. When you type in a website that you would like to go to, the answer that you get from our servers, or from anyone else’s who chooses to do DNSSEC, [there] will be a digitally signed answer that will be authenticated.

FCB: So, is this something that is going to mitigate all DNS attacks?

KS: It’s certainly not going to [do that]; in fact, it might even create some new ones. Packets are more complicated now. They’re larger.

So that’s one aspect of it — it complicates things a little bit, but from a security perspective, DNS, up until today, literally had no security associated with it whatsoever, other than a serial number that had to be attached to the message. That was pretty easily forged, and there’s been some publicized papers on how that could be done trivially.

So, what this does is prevent a foreign answer, or a forged answer, from reaching the intended recipient and directing them to a different location that where they should be going.

FCB: In the blogosphere, we’ve been reading that some are comparing this to Ipv6 in terms of an Internet standard that was a long time coming and a lot are still struggling to cope with. Do you think that’s a fair comparison?

KS: I think it is. They’ve both been adopted, or, at least, ratified standards for a number of years.

In comparing DNSSEC to IPv6 . . . they’re both complicated changes to the infrastructure. There hasn’t really been a significant change in DNS, really, in the last 25 years. Same thing with the IP address system. In order to make a subtle change to that, there’s a lot of equipment that relies on it performing the way that it currently is today. Any change in that could potentially cause disruption in pockets that we’re not even aware of — [if] someone has an old router in an old building someplace that doesn’t understand IPv6, or doesn’t understand DNSSEC. . . . Those things created problems.

So, we’ve spent the last couple of years in working with equipment vendors to find out which versions need to be patched, which pieces of hardware on the Internet infrastructure don’t work with DNSSEC. We’ve been working through those issues and we’ve deployed an interoperability lab. We’ve had a number of vendors bring equipment in, including home routers that people have. Initially, we don’t expect a large uptake with DNSSEC.

It’s not for everyone, and everyone probably won’t implement it right out of the gate. What we’re doing today is putting the underpinnings in to allow that to happen so that the rest of the Internet can implement DNSSEC as they see fit and as soon as they want to.

Until now, if they had chosen to implement DNSSEC, most of the underpinnings weren’t there for them to be able to do it. It had to be sort of cobbled together.

FCB: We do a lot of reporting about [the federal government’s] TIC — their trusted Internet connection policy. Is DNSSEC going to affect that at all, and has the federal government started preparing for DNSSEC?

KS: Oh they sure have. The U.S. government two years ago actually started the process of rolling out DNSSEC within the .gov domain.

Now, that has taken longer than they would have liked, and one of the reasons it has taken longer than they would have liked is that, in the process of implementing, they’re starting to see it’s not as easy to implement as traditional DNS.

It’s a bit more complicated than most people think on paper.

That’s why you do read in the blogosphere people saying, ‘This has taken far too long to implement.’ It’s taken as long as it’s taken because we’re talking about a fundamental change to the way that the Internet does domain names today if they chose to use DNSSEC. The great way about the way that it’s being implemented today is that everyone doesn’t have to implement DNSSEC overnight.

We’re not causing this tidal wave of everyone having to rush to their routers to make changes.

What we’re doing is we’re enabling the fundamental core piece at the root of distributing keys and signing the root answers from the very top. There’s a very select few people who run those services today, and they’ve all been working together on this unified roll out.

FCB: You’ve talked a little bit about what VeriSign’s been doing with DNSSEC. If you could go into a little more detail. Have you been helping the federal government out? And, we understand you have a panel coming up — if you could touch on that, too.

KS: We have been working with virtually everyone who runs DNS infrastructure, and that includes the federal government. We’ve been with ISPs.

We’ve been working with equipment manufactures, such as Cisco and software vendors, like Microsoft. So, we’ve been working with all of them to explain to them our findings, where we see potential problems and lessons learned. We’ve published . . . a couple of white papers and have talked to [the media] who have listeners and readers who are involved in the infrastructure to try to educate them on what the potential pitfalls could be and what the benefits are. . . .

At Black Hat, we’ve got a panel together, which will include myself, Dan Kaminsky . . . and others that will be discussing what led up to this change, how is the change going to make a difference and what are some of the potential risks to try to do it too early if you’re not actually ready for it — what actually could happen if you haven’t done everything that you need to do to get ready for it.