
DNSSEC
DNSSEC (DNS SECurity), an emerging standard developed to help users gain assurance that the remote DNS server they are seeking to communicate with has been independently verified and is genuine.
DNSSEC is an emerging standard helping Net users with domain name verification through authentication.
One challenge for DNSSEC deployment faced by Registry operators is empowering the domain name owner with mechanisms to submit their unique domain name authentication key to the Registry. This process requires the key provider for a specific domain name to be authenticated, usually by the Registrar. Then the Registrar needs to have mechanisms in place to accept keys from these providers, who in turn submit the key data to the Registry for inclusion in the TLD zone file on behalf of their customer.
From an operator perspective, another challenge deals with the additional data elements required in the Zone File to accommodate DNSSEC; making the size and management of the Zone Data increasingly complex. For example, when becoming DNSSEC compliant the zone size alone can increase by as much as eight times.
From the users perspective, the challenge associated with DNSSEC is keeping the user informed as to occasions when DNSSEC is enabled and also when verification fails. As a consequence Application Level providers needs to ensure their products are optimised for DNSSEC compliance. Such issues can taint the benefits of and dampen adoption of DNSSEC by the user, and critical mass may only occur once DNSSEC is considered mature.
Regarding today's Root Server structure, four factors have been determined to have an impact on the scaling of the Root; those being DNSSEC, IPv6, IDNs and new TLDs. DNSSEC has been determined to have the largest impact on the scaling of the Root by having the largest increase in size to the currently small Root file. DNSSEC will:
DNSSEC is currently available in two different forms; NSEC and NSEC3. This paper explores the using by TLD Registry operators of a variation of DNSSEC with an Opt-Out option; an option achievable through NSEC3+OptOut. NSEC3+OptOut allows:
What Is DNSSEC?
DNSSEC is a mechanism for DNS data allowing end users the ability to verify their intended destination’s domain name.
DNSSEC is a verification mechanism for DNS data. It allows an end-user to verify that the zone data they have been presented with was published by the person who holds the private key for that domain. If TLD operators obtain a referencing tag called a "finger print" of their customer's public key and include it in their zone, end users will be able to use this to verify the customer's zone data. By signing these finger prints (DS Records) with TLD's own keys, an end user can use the TLD operators keys to verify the customer's key and hence verify they have the right keys for the customer's zone. This is called the "chain of authentication".
DNSSEC is not an encryption mechanism and provides no security to prevent snooping on what queries are being done by which users.
DNSSEC does not have an error correction mechanism.
DNSSEC Application providers have introduced with different levels of success, an error recovery mechanism, designed to clear out all data that had failed verification to the highest point where verification succeeded.
The added benefit of DNSSEC is the establishment of a “chain-of-authentication.”
In this way, DNSSEC provides additional mechanisms by which DNS resolution may fail. Therefore, some customers may prefer to take their chances with their existing zone data and keep the status-quo by not signing their zone.
For these users we must try and retain the existing stability, reliability and speed that has historically been a key feature of DNS resolution.
However, for domain holders customers, for example those dealing with financial transactions, may feel that it would be better that the end user is not presented with a web site at all than run the risk of having the users sent to the wrong site.
For these users we must provide the ability for them to sign their zones and provide them with the chain of authentication they need in order for their zone data to be publicly verifiable.
CommunityDNS and DNSSEC
Leading DNSSEC testbeds with TLDs in 2004, 2005 and 2007, CommunityDNS understands the importance DNSSEC can bring to the overall security of the DNS. CommunityDNS first supported DNSSEC with NSEC as the platform was initially developed and, when NSEC3 was ratified in March 2008, CommunityDNS became compliant with NSEC3 and NSEC3 with OptOut compliant shortly thereafter.
DNSSEC key signing process
ICANN appoints Paul M Kane, CEO, CommunityDNS, as one of seven Trusted Community Representatives (“TCR”) from the global community, holding two identical smart cards safeguarding the encrypted cryptographic fragment of the Recovery Key for the DNSSEC signing Key used to sign the ROOT Zone. This video describes the process of generating the cryptographic keys used for signing the ROOT Zone which was filmed at the first DNSSEC Signing Ceremony which took place on the 16th June 2010 - ready for DNSSEC Signed Root on the 15th July 2010.
Benefits of DNSSEC
This is of great benefit in itself, however, it is undoubtedly in between the end user and the destined site. The new application this will unlock that the true benefit of DNSSEC will become apparent.
Read More
- CommunityDNS's CEO holds Recovery Key Share for ROOT Zone
- Video: BBC and Paul Kane Discuss DNSSEC Trusted Community Rep.
- CommunityDNS Rolls Out DNSSEC Signing Tool: Secure-DNS.net
- DNSSEC – A Way Forward for TLD Registries; Method for faster adoption of DNSSEC - Providing greater security with minimal impact on customers, registries and Zone Management (Hint: With the use of NSEC3 with OptOut)
- Security Considerations – DNSSEC Technical Workshop
- DNSSEC Performance Using Various Zone Sizes: CommunityDNS Comparison Tests with BIND and NSD