7/30/2019 7 Things You Should Know About Dnssec EST1001
1/2
What is it?Internet-connected devices are identied by IP
addresses,
though users typically only know web addressespeople can re-
member example.edu, or instance, more easily than
192.168.7.13. The Domain Name System (DNS) uses a
distributed
network o name servers to translate text-based web addresses
into IP addresses, directing Internet trac to proper
servers.
Though invisible to end users, DNS is a basic element o how
the
Internet unctions.
DNS was built without security, however, leaving Internet
trac
exposed to orged DNS data, which, among other things, allows
the spoong o addresses to redirect trac to malicious
websites.
DNS Security Extensions (DNSSEC) adds security provisions to
DNS so that computers can veriy that they have been directed
to
proper servers. DNSSEC authenticates lookups o DNS data (in-
cluding the mapping o website names to IP addresses) or
DNSSEC-enabled domains so that outgoing Internet trac (in-
cluding e-mail) is always sent to the correct servers, without
the
risk o being misdirected to raudulent sites.
Whos doing it?VeriSign administers the root, which supports all
top-
level domains (TLDs) (.com, .net, .ino, and so orth), and is
ex-
pected to implement DNSSEC or the root (sign the root) in
2010. Once that happens, DNSSEC trac can be validated at its
highest levelthe root. Several nationsincluding Sweden (.se
domain), Brazil (.br), Bulgaria (.bg), and the Czech
Republic
(.cz)have implemented the technology or their country-code
domains, and the Public Interest Registry has enabled DNSSEC
validation or the .org domain. As part o its compliance with
the
Federal Inormation Security Management Act o 2002, which re-
quires increased security or the nations cyberinrastructure,
the
U.S. ederal government has implemented DNSSEC or the .gov
domain. Until the root is signed, these domains will use a
surro-
gate authority to validate their DNSSEC-enabled web trac,
but
all TLDs will eventually use DNSSEC. EDUCAUSE is working
with
VeriSign to implement DNSSEC or the .edu domain, also in
2010,
and this eort is expected to provide guidance about best
prac-
tices to smooth the transitions o the much-larger .com and
.net
domains in 2010 and 2011.
How does it work?As data packets travel over the Internet, DNS
provides themaps that correlate web addresses with IP addresses and
route
trac to proper destinations. Because DNS does not provide a
mechanism to authenticate the data in name servers, orged or
Scenario
When Laura returns to campus ater the holiday break, she
is shocked to hear that she has been de-registered rom
classes due to nonpayment o tuition. She calls her parents,
who conrm that they paid her bill online in early December.
They tell her that when they went to the bursars website,
the page looked a bit dierent and asked or inormation
they had previously entered, but the browser displayed the
padlock icon indicating a secure connection, so they paid
the bill as usual. They assure her that the unds have
already
been transerred rom their bank account.
Laura heads over to the bursars oce, only to nd a crowd
o students in the same boat. As they talk about their pre-
dicament, they discover that they all paid their tuition
online
and that they all use the same regional ISP. Further
investi-
gation by the universitys IT sta conrms that the students
ell victim to DNS cache poisoninga kind o computer at-
tack in which hackers insert bad data into an ISPs name
server cache, which, as a result, directs Internet trac rom
an intended site (in this case, the bursars website) to
anoth-
er location. The hackers even purchased an SSL certicate
so that the bogus site would have the padlock icon. The uni-
versity has to let several hundred students re-register
with-
out having yet paid tuition, and the students and their ami-
lies spend months getting their banks to reund the money
that was raudulently transerred rom their accounts.
In the uture, as administrators o domains and websites im-
plement DNSSEC, such attacks will be prevented. DNSSEC
adds a set o security provisions to the way Internet trac
is routed through name servers, protecting users rom the
kind o attack Laura suered. When DNSSEC is implement-
ed, i a users computer is redirected to a bogus version o
a website, sotware that manages web trac will encoun-
ter security keys that should match but do not, indicating a
problem. In this way, DNSSEC will plug a undamental weak-
ness o the Internet.
THINGS YOU SHOULD KNOW ABOUT
DNSSEC
2010 EDUCAUSE
This work is licensed under a Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 License.
http://creativecommons.org/licenses/by-nc-nd/3.0/
educause.edu
more >>
7/30/2019 7 Things You Should Know About Dnssec EST1001
2/2
update their DNS sotware, and, in some cases, hardware
upgrades
will also be required. In addition, DNSSEC might degrade the
speed
o Internet lookups, resulting in a slower experience or end
users.
On top o the technical and resource-based challenges are
policyissues that will need to be resolved at an international
level. The
eort to implement DNSSEC or the root has renewed a
longstand-
ing debate about where control o the Internet resides.
Where is it going?Having the root and TLDs signed will provide
some incen-
tive or domain holders to implement DNSSEC because the chain
o trust can be established, but until a critical mass o domains
in-
corporate the technology, the benets might not seem to
justiy
the eort. Administrators o most TLDs are expected to develop
resources to help ease the implementation o DNSSEC or domain
holders, but many o the thorniest technical issuesabout not
only
the transition to but also the maintenance o DNSSEC in
practice
still need to be sorted out. Presumably, as domains begin
imple-menting DNSSEC in large numbers, momentum will grow and
sus-
tain the transition, but it remains to be seen how long the
process
might take or at what point a mandate to implement DNSSEC
will
be required or ull adoption.
What are the implications or highereducation?
The risks posed by DNS and the benets o implementing DNSSEC
have special signicance or higher education. Colleges and
uni-
versities are expected to be good Internet citizens and to
lead
by example in eorts to improve the public good. Because
users
tend to trust certain domains, including the .edu domain,
more
than others, expectations or the reliability o college and
univer-
sity websites are high. To the extent that institutions o
highereducation depend on their reputations, DNSSEC is an avenue
to
avoid some o the kinds o incidents that can damage a univer-
sitys stature.
In more tangible terms, higher education institutions store
enor-
mous amounts o sensitive inormation (including personal and
nancial inormation or students and others, medical inorma-
tion, and research data), and they maintain valuable online
assets
to which access must be eectively restricted. DNS attacks
result
in stolen passwords, disrupted e-mail (which oten is the
channel
or ocial communications), exposure to malware, and other
problems. DNSSEC can be an important part o a broad-based
cybersecurity strategy.
EDUCAUSE is a nonproft membership association created to
supportthose who lead, manage, and use inormation technology to
benefthigher education. A comprehensive range o resources and
activitiesis available to all EDUCAUSE members. The associations
strategicdirections include ocus in our areas: Teaching and
Learning; Managingthe Enterprise; E-Research and E-Scholarship; and
the Evolving Role oIT and Leadership. For more inormation, visit
educause.edu.
corrupt data in a name server can direct trac to the wrong
servera weakness that malicious parties use to their advan-
tage. DNSSEC adds digital signatures that ensure the
accuracy
o lookup data, guaranteeing that computers can connect to
le-gitimate servers.
With DNSSEC, a series o encryption keys are handed o and
authenticatedthe second-level domain (SLD) key (rom exam-
ple.edu) is authenticated by the TLD (.edu), and the TLD key
is
authenticated by the root. In this way, when an SLD, its
parent
TLD, and the root are all signed, a chain o trust is created.
(Holders
o SLDs can implement DNSSEC beore their TLD or the root is
signed, creating so-called islands o trust that rely on
intermedi-
ate measures to validate their encryption keys.) I the
encryption
keys dont match, DNSSEC will ail, but because the system is
backwards-compatible, the transaction will simply ollow
stan-
dard DNS protocols.
The value o the system will come when the root, the TLDs,
and
SLDs are signed, allowing DNSSEC to be used or all Internet
tra-
c. At that point, when DNSSEC ails, users will not be routed
to
bogus servers, and they might also be notied that
nonmatching
DNSSEC keys prevented their transaction rom going through.
Why is it signifcant?Hackers continue to exploit the security
weakness o DNS
to their advantage. By caching address inormation, name
servers
dont have to look up the IP address every time a requently
vis-
ited site is accessed, and this speeds up the experience or
end
users. I hackers are able to insert a bogus IP address into a
cache,
however, all users o that name server will be directed to
the
wrong site (until the cache expires and is rereshed).
Corruptingthe operation o DNS in this way can lead to many kinds o
raud
and other malicious activity. By plugging some o the largest
se-
curity holes in the Internet, DNSSEC has the potential to
signi-
cantly expand the trustworthinessand thus the useulnesso
the Internet as a whole.
What are the downsides?Fully implementing DNSSEC will require an
enormous
amount o work across every quarter o the Internetsigning the
root and the TLDs is simply the tip o the iceberg. Participation
is
voluntary at this time, and the benet that DNSSEC ultimately
provides will be a refection o the willingness o domain
holders
to do that workthat is, the value o DNSSEC will be in direct
proportion to the number o sites that implement it. Even ater
theroot and the TLDs are signed, the advantage o DNSSEC will be
qualied by uneven rates o adoption.
Adding encryption keys to Internet lookups introduces
complex
logistical problems o managing those keys, such as how to
peri-
odically update keys without breaking the way name servers
(and
their caches) work, and how to accommodate the diering keys
and protocols o dierent TLDs. Name server sotware is still
evolving to support DNSSEC; many organizations will need to
January 2010
THINGS YOU SHOULD KNOW ABOUT
DNSSEC
