“DNSSec is an absolute requirement if we want to continue to use the Internet for anything non-trivial.”
(Cricket Liu, “Why you need to deploy DNSSEC now,” InfoWorld, Aug 5, 2014)
DNS (Domain Name System) is an integral part of the Internet. It is the Internet's primary directory service, resolving resolve human-friendly names to unique addresses.
Unfortunately DNS is insecure and subject to manipulation. There are well known, long-standing vulnerabilities such as Kaminisky bug. We have seen the widespread DNSChanger botnet direct computers to rogue DNS servers. We have been witness to Brazilian ISPs falling victim to DNS cache poisoning. And in 2015, we saw attacks against routers with the Linux/Moose worm performing DNS hijacking.
Cyber-security continues to be an increasing concern; DNS is a vector for phishing and other scams. This can result in revenue loss, identity theft, and data breaches just to name a few consequences. And with the inevitable acceptance of IPv6 the dependence on DNS will grow. It is in the interest of all (businesses, governments, consumers) who use the Internet to make it secure.
DNSSEC is a major upgrade to the security of the Internet infrastructure. It provides us with authentication of DNS data, data integrity, and authenticated denial of existence. This will prevent many avenue of attacks like MITM (Man In The Middle) and cache poisoning. This will also enable the innovation of new technologies such as DANE and a global PKI (Public Key Infrastructure).
Moving to DNSSEC is not without expense and risk. There is always a learning curve associated with new technologies. And there is more administration overhead with DNSSEC, but tools continue to improve and ease management. Also legacy devices may have issue, but vendor support for DNSSEC continues to expand.
Topics I will be covering include:
- Overview of how DNS works
- and its vulnerabilities
- Explain how DNSSEC solves this
- and what DNSSEC is not
- Some challenges to deployment
- How to take advantage of DNSSEC today
- Possibilities DNSSEC provides