DNSSEC

When the current DNS architecture was originally deployed in 1983 the focus was on ensuring scalability and distributed management, security was a secondary concern. Over the years security of the DNS infrastructure has become increasingly important as a number of high profile incidents have come to light.

In 2003 the United States Government highlighted the DNS system as one of the key weaknesses in its 'National Strategy to Secure Cyberspace' whitepaper. This led to the development of a number of security propositions concerning the DNS infrastructure, one of them being DNSSEC.

DNSSEC stands for ‘Domain Name System Security Extensions’. Its intent is to protect Internet users from ‘cache poisoning’ attacks. In these DNS attacks the Internet user, whilst clicking on a hyperlink, is diverted to a rogue IP address.

In July 2010 the domain name system’s root zone was digitally signed, placing DNSSEC at the top of the DNS hierarchy. .Com was also recently signed along with other major TLDs. The signing is significant because it means that when an individual types in a domain name (such as example.com), they are able to trust the domain name because they trust the root zone.

How will DNSSEC improve online security?

In simple terms DNSSEC will ensure that the data on IP addresses and domain names comes from a verified source, putting an end to redirection attacks. Effectively, the integrity of the DNS will be ensured because the data served by each server in the DNS hierarchy will be digitally signed. A name server or client resolving a name can therefore check the integrity of the data at each level i.e. root, .com, example.com, www .example.com. If it does not get the correctly signed response then it will not make the connection.

Currently a small number of registries have already adopted the DNSSEC security extensions and NetNames will support DNSSEC for any TLDs which use it now and in the future.