Will Security Worries Propel DNS Into the Cloud?
Security on the Internet's Domain Name System will be tightened today, with the addition of digital signatures and public-key encryption to the root zone. But will the deployment of DNS Security Extensions (DNSSEC) prompt more enterprises to outsource their DNS operations?
Thu, July 15, 2010
Network World — Security on the Internet's Domain Name System will be tightened today, with the addition of digital signatures and public-key encryption to the root zone. But will the deployment of DNS Security Extensions (DNSSEC) prompt more enterprises to outsource their DNS operations?
DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.
The DNS root servers will begin supporting DNSSEC on July 15. This will enable secure DNS look-ups for the top-level domains that already support this standard, including .org for non-profits, .se for Sweden, .uk for the United Kingdom, .br for Brazil and .cz for the Czech Republic. Plans are underway for additional top-level domains including .edu for universities, .net and .com for businesses to add DNSSEC support over the next six months.
With the extra layer of encryption, DNSSEC makes DNS significantly more complicated, experts say. That's why service providers believe that more enterprises will begin outsourcing their DNS.
"DNSSEC takes the complexity level and really magnifies it. It's a game changer. It's not 10% harder now; it's twice as hard to manage DNS, and it's twice as hard on the machine size and the bandwidth," says Ben Petro, senior vice president of Network Intelligence and Availability at VeriSign (VRSN). "We can do all of this work for you and make DNSSEC easy."
"DNSSEC is so complicated. The protocol has worked great, but we see a lot of misconfigurations," said Sean Leach, CTO with Name.com, a domain name registrar that has dozens of customers who are testing DNSSEC. "I really do think that you're going to start seeing outsourced DNS as the norm."