DNSSEC Showing More Signs Of Progress
The Domain Name System (DNS) security protocol is finally making inroads on the Internet infrastructure front, but big hurdles remain for widespread, smooth adoptionJun 22, 2009 | 11:00 AM
By Kelly Jackson HigginsDarkReading
It has been more than 15 years in the making, but DNSSEC is finally gaining some traction: The .gov and .org top-level domains have begun to adopt the Domain Name Service (DNS) security protocol, and during the past few days, some commercial activity was associated with it.
HP last week announced it will resell Secure64's DNS software, while registrar and managed DNS provider Dynamic Network Services Inc. (Dyn Inc.), announced it has gone live with DNSSEC. DNS product vendor NeuStar, meanwhile, rolled out its own DNS security appliance to protect DNS servers from getting hit with the DNS cache poisoning flaw uncovered last year by researcher Dan Kaminksy.
Momentum for DNSSEC began gradually in the wake of Kaminsky's finding and the subsequent patches vendors deployed -- first, the federal government expanded its plans for widespread DNSSEC adoption after at first only recommending it for some systems. Now all federal agencies must adopt DNSSEC by December 2009. And most recently, a federal official said publicly that the updated FISMA regulations will require federal agencies to also sign their intranet "zones" with DNSSEC by the middle of next year.
Kaminsky in February at Black Hat DC officially threw his support behind DNSSEC after mostly dismissing the protocol as a solution for securing DNS after studying the specification more closely.
"I am relatively new to the pro-DNSSEC cause. I just don't see another way to address the endemic cross-organizational authentication and bootstrapping issues we have today," Kaminsky says. "DNS has fixed everyone else's cross-organizational issues for 25 years. It can fix security's as well.
"We are definitely making progress."
Cricket Liu, vice president of architecture for Infoblox and author of several DNS books, says while the latest commercial announcements are interesting, the biggest news for DNSSEC this year was the signing of .org, and that the Department of Commerce's National Telecommunications and Information Administration (NTIA) said it would sign the .gov root within a year. "These have a bearing on the infrastructure -- that's a huge deal," Liu says.
And now the feds are planning to add to the FISMA the requirement that federal agencies sign their internal zones -- their intranets -- with DNSSEC by mid-2010, Liu says. "And that's a lot more name space," he says.
ICANN earlier this month announced it will work with the NTIA, the National Institute of Standards and Technology (NIST), and VeriSign to ensure that the Internet's root zone is digitally signed with DNSSEC this year for security reasons. "ICANN has agreed to work with VeriSign and the Department of Commerce to first test, and then have production deployment of DNS Security Extensions (DNSSEC) as soon as feasible without prejudice to any proposals that may be made for long-term signing processes" Paul Twomey, President and CEO of ICANN said in a statement.
The announcement earlier this month that the .org top-level domain had successfully DNSSEC-signed its zone was a major milestone for the security protocol, security experts say. But there's still plenty of work to do at all levels of the Internet infrastructure.
Enterprises, meanwhile, are facing some challenges in adopting DNSSEC. Kaminsky says businesses must look at DNSSEC as not just a DNS security solution, but also as "an answer for PKI's failings." DNSSEC will "enable a new generation of security solutions that actually work and scale," he says. "Resources should be assigned now to deal with the DNSSEC dependencies of those solutions.
Infoblox's Liu says most of the tools available today for managing signed zones are rudimentary. BIND, the most pervasive DNS server, has command-line controls for DNSSEC. "They are relatively difficult to use, and difficult to integrate into" other management tools, he says.
Kaminsky concurs: "The biggest challenges will be getting DNSSEC automated. BIND is just not where it needs to be for automation, and neither is MSDNS. There are third-party products that help, but we need the standard implementations to get better," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Subscribe to RSSSecurity Services Reports
You've Got (Secure) Mail: Using Service Providers to Boost Protection
The SaaS market is still in its infancy, but hosted e-mail security firms are leading the way, thanks to ease of implementation and many obvious benefits. Still, these services are not without risks. In this Dark Reading Tech Center report, we'll discuss how to determine what mix of in-house and hosted email security makes sense for your organization.
Security Services Strategies For Small and Midsize Firms
Infosec managers in small and midsize enterprise often feel like an army of one, constantly pinching pennies. But the paradigm shift from expensive on-premises management to off-premises hosting is good news for you, because today more than ever, the small business has access to large-enterprise security technologies via the phenomenon of subscription-based licensing. In this report, you'll discover how you can use security services strategically to gain economies of scale -- and a really deep bench.
Security Software as a Service: Navigating the New MSSP Landscape
This Dark Reading Security Services Tech Center Report offers advice on how to cut through the hype and claims by SaaS security vendors to get the best fit for your business. It provides a detailed look at the most popular types of cloud-based data protection and gives a rundown on the top service providers vying for your dollars.
Making the Business Case: Security Outsourcing in Financial Services
When it comes to online security, the financial community is under siege. Between the troubled economy, the advent of more sophisticated attacks, and the growing number of threats inside and outside the organization, one thing is clear: financial services firms need help. In this report, we offer a look at the factors that are driving the financial industry toward security outsourcing - and how your institution can find the right provider.
Integrated Security Services: How To Choose The Right Provider Without Getting Burned
Providers ranging from Microsoft to Finallyfast.com offer everything from simple anti-malware, e-mail and content filtering services to sophisticated security applications, all in a single package. In this report, we discuss how to get the best "suite" for your business -- and your budget -- and what to beware of.
Making The Security Outsourcing Decision: A Reader's Guide
For years, enterprises resisted the idea of bringing a third party into their security strategies. Today, however, with security threats proliferating at alarming rates and economic pressures forcing major cutbacks, many companies are rethinking the security outsourcing decision. In this report, you'll learn about the wide variety of security services categories available on the market – their strengths and weaknesses, their costs, and what you should know before you make the outsourcing decision.
Security Services Newsfeed
- Verizon Business Helps Medium-Sized Businesses Combat Cyberthreats With New, Affordable Integrated Security Suite
- Trend Micro Expands its Hosted Security Service And Puts Focus On Channel-Success And Protecting Mobile Workers
- DataInherit Launches A Free High Security Online Password Safe
- McAfee Announces Quickstart Services For SMBs
- Wipro, Trend Micro Unite to Deliver Next-Generation Virtualization Security Solutions For Dynamic Datacenters
- VeriSign Identity Protection Mobile Application on Verizon Wireless Phones Makes Security More Accessible
