| |
|
|
What is DNS Security (DNSSEC)?
DNSSEC is an addition to the Domain Name System (DNS) protocols; it
is designed to add security to the DNS by protecting the Internet
from certain attacks, such as any data modification attack
(e.g. cache poisoning). It is a set of extensions to DNS, which
provide origin authentication of DNS data, data integrity and
authenticated denial of existence.
The Domain Name System Security Extensions (DNSSEC) as described in [RFC4033], [RFC4034] and [RFC4035] define new records and protocol modifications to DNS that permit security-aware resolvers to validate DNS Resource Records (RRs) from one or more Trust Anchors held by security-aware resolvers.
What does DNSSEC protect against?
DNSSEC is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without question. If a malicious system were to send back an incorrect response, the resolver would use this address until its cache expired. This is bad enough if it's a single user's computer that gets this bad data, it's much worse if it's another name server that answers queries for an ISP – affecting thousands of users.
How does DNSSEC protect against this attack?
Each piece of a domain’s DNS information has a digital signature attached to it. When a user enters the domain in a browser, the resolver, using keys in a similar manner to PGP (i.e., a key pair system used to secure e-mail), verifies the signature. If it does not match, the resolver discards the response and waits for another.
DNSSEC ensures that the answer you receive came from a trusted name server. When a registrant registers a domain name on the Internet, they will also be able to have the domain name secured via DNSSEC. By sending in additional information to their registrar, registrants can “sign” a domain name. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server
Why DNSSEC isn’t used everywhere?
The reason for the delay in deployment has to do with speed, and, indirectly, cost. The cryptography of signing DNS records requires more bandwidth, because DNSSEC records are quite large compared to other DNS records. For infrastructure providers, such as the top level registries and large ISPs, DNSSEC deployment is a huge undertaking.
There's also a “demand” problem with the deployment. Many people are not aware of the DNS, let alone this specific problem. We encourage our registrants to ask us about DNSSEC and how it will benefit their domain name protection.
How to deploy DNSSEC?
The latest versions of BIND and NSD are DNSSEC aware, usually by simply setting a compiler-option. For end user applications, such as web browsers and email applications, you should contact your software provider.
What are some of the benefits of DNSSEC?
When properly maintained, DNSSEC zones provide extra security by preventing man-in-the-middle attacks. Any customer with DNSSEC-aware resolver will not be at risk from DNS spoofing Customers that are not DNSSEC aware will not see any adverse effect. While they won't get the protection, they'll continue to access your domain name just as they always have. The more domain names that are using DNSSEC, the more websites and email addresses will be protected on the internet.
What are some of the benefits of DNSSEC?
• You must actively maintain the extra DNSSEC data, including securing your DNSSEC private data should you wish to sign your own zone or offer a security aware DNS server.
• If a key is compromised, you must take immediate action to rollover the key.
• If you run a caching resolver that you will use to validate signatures, you must actively maintain the Trust Anchors.
• We will assist our customers on how to make their software DNSSEC-aware.
• There have been a few reported cases that require end users to upgrade their network gear, such as routers, switches, and wireless access points in order to resolve signed domain names (DNSSEC adds no problem to people that aren't trying to validate the results. DSL and similar boxes gets in the way when the name server behind it tried to do validation, mostly when using the box as a forwarding resolver)
What is a DNS resolver?
A DNS resolver is the program on a user’s computer that sends the query to the DNS. Once a response is received, the resolver returns the response back to the end user’s application.
What is a key?
A key pair contains two digital keys — a private key (held only by the registry) and a public key (distributed to the public). The registry uses the private / public key pair to sign the zone. End users' validators (or the validators at their ISPs) use the registry public key, and their private key, to decrypt and validate the signature once they've asked for it.
What is a key rollover?
A key rollover occurs when the registry needs to change its side of a key pair. This will mean that the registry zone will need to be re-signed and that the public will need to update their validating resolvers with the new public portion of the registry zone key.
What would happen if people did not update their validating resolvers with the new registry zone key?
Once the old key is purged, domains in the registry zone that were signed would no longer resolve for those people who did not use the new registry key. It would not affect people that are not using DNSSEC – they would continue to see the domain name.
Since this could cause resolution problems, why would PIR ever do a key rollover?
There are two reasons. The first reason would be if one of the registry private keys were compromised (i.e., stolen) and had to be immediately revoked. The second is for prevention of compromise (see next question for further information), where a key rollover would be scheduled at regular intervals.
How does a scheduled rollover help prevent key compromise?
DNSSEC uses several mathematical formulas (cryptography) to "sign" a zone. These signatures are not secure all of the time. They are subject to cryptanalysis. It is therefore possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks. Every attack requires time to complete. Periodically changing the key decreases the length of time an attacker has to attempt the compromise.
How will people be made aware of a key rollover?
It will be announced on the PIR Web site. Anyone using DNSSEC should watch for these announcements, specially ISPs, registrars, and people using DNSSEC in applications.
How is a DNSSEC registration different from a current registry domain registration? What additional data are collected?
A DNSSEC registration must include the additional Delegation Signer information. That information is provided using the DNS Security extensions for EPP (see www.ietfregistry/rfc/rfc4310.txt).
Where can I go to learn more about DNSSEC?
The dnssec.net and dnssec-deploymentregistry Web sites are both excellent resources to learn more about DNSSEC.
|
|
|
|
