Upload
john-thomas-rogan
View
214
Download
0
Embed Size (px)
Citation preview
7/30/2019 7 Things You Should Know About Dnssec EST1001
1/2
What is it?Internet-connected devices are identied by IP addresses,
though users typically only know web addressespeople can re-
member example.edu, or instance, more easily than
192.168.7.13. The Domain Name System (DNS) uses a distributed
network o name servers to translate text-based web addresses
into IP addresses, directing Internet trac to proper servers.
Though invisible to end users, DNS is a basic element o how the
Internet unctions.
DNS was built without security, however, leaving Internet trac
exposed to orged DNS data, which, among other things, allows
the spoong o addresses to redirect trac to malicious websites.
DNS Security Extensions (DNSSEC) adds security provisions to
DNS so that computers can veriy that they have been directed to
proper servers. DNSSEC authenticates lookups o DNS data (in-
cluding the mapping o website names to IP addresses) or
DNSSEC-enabled domains so that outgoing Internet trac (in-
cluding e-mail) is always sent to the correct servers, without the
risk o being misdirected to raudulent sites.
Whos doing it?VeriSign administers the root, which supports all top-
level domains (TLDs) (.com, .net, .ino, and so orth), and is ex-
pected to implement DNSSEC or the root (sign the root) in
2010. Once that happens, DNSSEC trac can be validated at its
highest levelthe root. Several nationsincluding Sweden (.se
domain), Brazil (.br), Bulgaria (.bg), and the Czech Republic
(.cz)have implemented the technology or their country-code
domains, and the Public Interest Registry has enabled DNSSEC
validation or the .org domain. As part o its compliance with the
Federal Inormation Security Management Act o 2002, which re-
quires increased security or the nations cyberinrastructure, the
U.S. ederal government has implemented DNSSEC or the .gov
domain. Until the root is signed, these domains will use a surro-
gate authority to validate their DNSSEC-enabled web trac, but
all TLDs will eventually use DNSSEC. EDUCAUSE is working with
VeriSign to implement DNSSEC or the .edu domain, also in 2010,
and this eort is expected to provide guidance about best prac-
tices to smooth the transitions o the much-larger .com and .net
domains in 2010 and 2011.
How does it work?As data packets travel over the Internet, DNS provides themaps that correlate web addresses with IP addresses and route
trac to proper destinations. Because DNS does not provide a
mechanism to authenticate the data in name servers, orged or
Scenario
When Laura returns to campus ater the holiday break, she
is shocked to hear that she has been de-registered rom
classes due to nonpayment o tuition. She calls her parents,
who conrm that they paid her bill online in early December.
They tell her that when they went to the bursars website,
the page looked a bit dierent and asked or inormation
they had previously entered, but the browser displayed the
padlock icon indicating a secure connection, so they paid
the bill as usual. They assure her that the unds have already
been transerred rom their bank account.
Laura heads over to the bursars oce, only to nd a crowd
o students in the same boat. As they talk about their pre-
dicament, they discover that they all paid their tuition online
and that they all use the same regional ISP. Further investi-
gation by the universitys IT sta conrms that the students
ell victim to DNS cache poisoninga kind o computer at-
tack in which hackers insert bad data into an ISPs name
server cache, which, as a result, directs Internet trac rom
an intended site (in this case, the bursars website) to anoth-
er location. The hackers even purchased an SSL certicate
so that the bogus site would have the padlock icon. The uni-
versity has to let several hundred students re-register with-
out having yet paid tuition, and the students and their ami-
lies spend months getting their banks to reund the money
that was raudulently transerred rom their accounts.
In the uture, as administrators o domains and websites im-
plement DNSSEC, such attacks will be prevented. DNSSEC
adds a set o security provisions to the way Internet trac
is routed through name servers, protecting users rom the
kind o attack Laura suered. When DNSSEC is implement-
ed, i a users computer is redirected to a bogus version o
a website, sotware that manages web trac will encoun-
ter security keys that should match but do not, indicating a
problem. In this way, DNSSEC will plug a undamental weak-
ness o the Internet.
THINGS YOU SHOULD KNOW ABOUT
DNSSEC
2010 EDUCAUSE
This work is licensed under a Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 License.
http://creativecommons.org/licenses/by-nc-nd/3.0/
educause.edu
more >>
7/30/2019 7 Things You Should Know About Dnssec EST1001
2/2
update their DNS sotware, and, in some cases, hardware upgrades
will also be required. In addition, DNSSEC might degrade the speed
o Internet lookups, resulting in a slower experience or end users.
On top o the technical and resource-based challenges are policyissues that will need to be resolved at an international level. The
eort to implement DNSSEC or the root has renewed a longstand-
ing debate about where control o the Internet resides.
Where is it going?Having the root and TLDs signed will provide some incen-
tive or domain holders to implement DNSSEC because the chain
o trust can be established, but until a critical mass o domains in-
corporate the technology, the benets might not seem to justiy
the eort. Administrators o most TLDs are expected to develop
resources to help ease the implementation o DNSSEC or domain
holders, but many o the thorniest technical issuesabout not only
the transition to but also the maintenance o DNSSEC in practice
still need to be sorted out. Presumably, as domains begin imple-menting DNSSEC in large numbers, momentum will grow and sus-
tain the transition, but it remains to be seen how long the process
might take or at what point a mandate to implement DNSSEC will
be required or ull adoption.
What are the implications or highereducation?
The risks posed by DNS and the benets o implementing DNSSEC
have special signicance or higher education. Colleges and uni-
versities are expected to be good Internet citizens and to lead
by example in eorts to improve the public good. Because users
tend to trust certain domains, including the .edu domain, more
than others, expectations or the reliability o college and univer-
sity websites are high. To the extent that institutions o highereducation depend on their reputations, DNSSEC is an avenue to
avoid some o the kinds o incidents that can damage a univer-
sitys stature.
In more tangible terms, higher education institutions store enor-
mous amounts o sensitive inormation (including personal and
nancial inormation or students and others, medical inorma-
tion, and research data), and they maintain valuable online assets
to which access must be eectively restricted. DNS attacks result
in stolen passwords, disrupted e-mail (which oten is the channel
or ocial communications), exposure to malware, and other
problems. DNSSEC can be an important part o a broad-based
cybersecurity strategy.
EDUCAUSE is a nonproft membership association created to supportthose who lead, manage, and use inormation technology to benefthigher education. A comprehensive range o resources and activitiesis available to all EDUCAUSE members. The associations strategicdirections include ocus in our areas: Teaching and Learning; Managingthe Enterprise; E-Research and E-Scholarship; and the Evolving Role oIT and Leadership. For more inormation, visit educause.edu.
corrupt data in a name server can direct trac to the wrong
servera weakness that malicious parties use to their advan-
tage. DNSSEC adds digital signatures that ensure the accuracy
o lookup data, guaranteeing that computers can connect to le-gitimate servers.
With DNSSEC, a series o encryption keys are handed o and
authenticatedthe second-level domain (SLD) key (rom exam-
ple.edu) is authenticated by the TLD (.edu), and the TLD key is
authenticated by the root. In this way, when an SLD, its parent
TLD, and the root are all signed, a chain o trust is created. (Holders
o SLDs can implement DNSSEC beore their TLD or the root is
signed, creating so-called islands o trust that rely on intermedi-
ate measures to validate their encryption keys.) I the encryption
keys dont match, DNSSEC will ail, but because the system is
backwards-compatible, the transaction will simply ollow stan-
dard DNS protocols.
The value o the system will come when the root, the TLDs, and
SLDs are signed, allowing DNSSEC to be used or all Internet tra-
c. At that point, when DNSSEC ails, users will not be routed to
bogus servers, and they might also be notied that nonmatching
DNSSEC keys prevented their transaction rom going through.
Why is it signifcant?Hackers continue to exploit the security weakness o DNS
to their advantage. By caching address inormation, name servers
dont have to look up the IP address every time a requently vis-
ited site is accessed, and this speeds up the experience or end
users. I hackers are able to insert a bogus IP address into a cache,
however, all users o that name server will be directed to the
wrong site (until the cache expires and is rereshed). Corruptingthe operation o DNS in this way can lead to many kinds o raud
and other malicious activity. By plugging some o the largest se-
curity holes in the Internet, DNSSEC has the potential to signi-
cantly expand the trustworthinessand thus the useulnesso
the Internet as a whole.
What are the downsides?Fully implementing DNSSEC will require an enormous
amount o work across every quarter o the Internetsigning the
root and the TLDs is simply the tip o the iceberg. Participation is
voluntary at this time, and the benet that DNSSEC ultimately
provides will be a refection o the willingness o domain holders
to do that workthat is, the value o DNSSEC will be in direct
proportion to the number o sites that implement it. Even ater theroot and the TLDs are signed, the advantage o DNSSEC will be
qualied by uneven rates o adoption.
Adding encryption keys to Internet lookups introduces complex
logistical problems o managing those keys, such as how to peri-
odically update keys without breaking the way name servers (and
their caches) work, and how to accommodate the diering keys
and protocols o dierent TLDs. Name server sotware is still
evolving to support DNSSEC; many organizations will need to
January 2010
THINGS YOU SHOULD KNOW ABOUT
DNSSEC