DNS Security

.. has always been a hot topic, considering that it is the cornerstone of the Internet. Without DNS or with a broken DNS, the Internet stops working ( correctly ) so it’s important that this building block is always in top shape, something that has been lacking from time to time. Considering it’s age and what it was originally designed  to address, it has done well so far but it has to do more for the foreseeable future, while maintaining that all important compatibility with previous releases/versions. No one is really in the position to just upgrade the Internet.

But the security aspect is littered with politics, corporate/government agendas and backward compatibility requirements for obvious reasons and it’s been quite a slog to get to a point where everyone will agree on changes required going forward. One such change with security in mind is DNSSEC, which provides a means for zones/dns records to be signed and a mechanism for DNS servers to validate the crypt signature of a domain by traversing the DNS tree to root – if the check fails then the DNS server simply rejects/ignores the request.

The main problem at the moment is that all TLD zones need to be signed by the next level up – the root domain, which is currently not signed and this is where all the fuss is. In addition, as someone has done training on DNSSEC, it is not a simple thing to sign domains, especially above the standard administrative requirements for DNS. So anyone using DNSSEC now needs to install trust anchors for each signed zone on their servers. This is of course a big issue …

The only 2 signed domains at the moment are .se and .org – and ISPs in these zones are only authorizing their zones and none other. Chicken and egg … the IETF, Internet Society ( ISOC ) and DNS experts have been sitting around a table hosted by .SE this week to discuss the status of DNSSEC and other options for DNS going forward. More info here Let’s hope they can all agree as DNS sorely needs to refreshing.