Main Menu

Home
DNSSEC Test Site

Work in progress!


THE .ORG INTERNET NEIGHBORHOOD has become the first generic top-level domain (TLD) to deploy domain name system security extensions (DNSSEC), though only a small clutch of registrars have signed up to the system so far.

DNSSEC is seen to be the first step in securing the domain name system (DNS) against security threats that simply didn't exist at the Internet's conception. Steve Crocker, co-chair of ICANN's DNSSEC deployment initiative said, "It [DNSSEC] will help curb threats like cache poisoning, DNS redirection and domain hijacking - all of which have been used to distribute malware and commit fraud such as identity theft."

The system revolves around certificates that digitally sign domain name records allowing for a trivial check to be made on the validity of answers returned by DNS servers.

The Public Interest Registry, which is in charge of the .org TLD, first announced its plans to deploy DNSSEC in June, 2009. It has taken over a year to sign up 13 registrars to support the system, although one hopes that this announcement is merely the opening of the floodgates.

 

 

What is DNSSEC?

 

 

DNSSEC (Domain Name Security Extensions) is a set of extensions to the Domain Name System (DNS). It provides an authenticated DNS query response that is passed through what is called a “chain of trust.” By adding a digital signature to DNS data, DNSSEC addresses a specific DNS vulnerability that exposes Internet users to cache poisoning attacks.

 

 

What is the vulnerability in the DNS?

The efficient work of storing a response that functions as a mid-way point between an end user’s computer and an authoritative server is performed by a caching name server, usually operated by an ISP (Internet Service Provider). The DNS was designed to allow this caching server to accept the first response it receives. It is possible, without the verification provided by DNSSEC authentication, for a malicious user to flood this caching name server with a spoofed response that is, most often, intended to dupe the end user into providing personal and or financial information to what appears to be his or her intended destination.

The result is that the caching name server does not just pass this spoofed response to the end user who initiated the query, but to any other user whose request for the same address passes through that same ISP’s caching system. Normally, a cached response expires after a reasonably short period of time – 24-48 hours. However, the malicious user is able to set an expiration date on the cached response that permits it to be displayed for a much longer time, increasing the likelihood that many more users will interact with the spoofed response.

 

 

How does DNSSEC work?

DNSSEC works through a system of keys. At each stage in supplying a DNS query response through the chain that takes it back to the initiator’s machine, a known key and a private key must be matched. In this way, the response to the query is authenticated and the response validated.

 

 

How do registrants DNSSEC-enable their domain names?

  1. Contact their DNS service provider where a key is generated.
  2. DNS provider sends key to registry.
  3. Registry enters that key into the zone for that TLD.

 
 

Shout Box

You need at least one entry in your shoutbox! Just type in a message now and reload, then you should be fine.

You have to login before you can shout!