Small Signs of Progress on DNSSEC

ID THREATPOST:0B521A88205B239192FD7F7FBA78387A
Type threatpost
Reporter Dennis Fisher
Modified 2014-09-25T18:09:24


SEATTLE–DNS doesn’t have a lot of friends. It’s old, it’s kind of creaky and it has some insecurity issues.

The few friends it has have tried to help it out in the last few years with the addition of DNSSEC, but that hasn’t gone so well, either. The Internet hasn’t been quick to adopt DNSSEC, for a variety of reasons, but experts say that there are some reasons to be optimistic about the progress that’s being made on DNSSEC adoption.

“DNS is one of the foundational protocols of the Internet. It was built a very long time ago, and as such, it’s insecure,” said Nick Sullivan of CloudFlare during a talk on DNSSEC at the Virus Bulletin conference here Wednesday.

DNSSEC was the Internet’s attempt to remedy the lack of security built into DNS through the inclusion of a set of extensions. It provides protection against attacks such as DNS cache poisoning and establishes a long chain of trust among the resolvers. That trust is an important piece of the puzzle, as the DNS system wasn’t designed with security or trust in mind.

“Trust in DNS isn’t baked in by default,” Sullivan said.

Sullivan said that right now, only about 0.3 percent of the domains in the .com TLD are signed with DNSSEC and about 0.5 percent of .net domains are signed. Part of the reason may be that domain owners don’t necessarily see much benefit in deploying DNSSEC. Sullivan said CloudFlare, one of the larger DNS providers in the world, plans to deploy DNSSEC on its network by the end of the year.

There are still problems with DNSSEC, Sullivan said, including the fact that the extension allows an attacker to enumerate all of the names in a given zone. Still, he said that there are some positive signs in the DNSSEC saga.

“Balancing all of the pros and cons, you get security and trust. There are quite a few steps and we’re different ways along the road on all of them,” he said. “The trust chain is mostly established, but users aren’t alerted [to DNSSEC usage] right now. It’s slowly happening. We’re on the right track.”