Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
DNS: Security Dont be a FOOL; The Law is Not DIY
- Security
- Encryption

Internet Addresses
- DNS
- History
- NTIA & Fed Activity
- ICANN
- Root Servers
- ccTLDs
- - .us
- - -.kids.us
- gTLDs
- - .gov
- - .edu
- - .mil
- - .xxx
- WHOIS
- WGIG
- ENUM
- IP Numbers
- - IPv6
- BGP
- NATs
- Ports
- Security
- Trademark
- AntiCybersquatter Consumer Protection Act
- Gripe Sites
- Truth in Domain Names
Telephone Addresses

Derived From: Derived From: Lennard Kruger, Internet Domain Names: Background and Policy Issues, Congressional Research Service p 10 (Oct. 28, 2009)

The security and stability of the Internet has always been a preeminent goal of DNS operation and management. One issue of recent concern is an intrinsic vulnerability in the DNS which allows malicious parties to distribute false DNS information. Under this scenario, Internet users could be unknowingly redirected to fraudulent and deceptive websites established to collect passwords and sensitive account information.

A technology called DNS Security Extensions (DNSSEC) has been developed to mitigate those vulnerabilities. DNSSEC assures the validity of transmitted DNS addresses by digitally "signing" DNS data via electronic signature. "Signing the root" (deploying DNSSEC on the root zone) is a necessary first and critical step towards protecting against malicious attacks on the DNS.19 On October 9, 2009, NTIA issued a Notice of Inquiry (NOI) seeking public comment on the deployment of DNSSEC into the Internet's DNS infrastructure, including the authoritative root zone.20 On June 3, 2009, NTIA and the National Institute of Standards and Technology (NIST) announced they will work with ICANN and VeriSign to develop an interim approach for deploying DNSSEC in the root zone by the end of 2009.21

Meanwhile, section 8 of S. 773, the Cybersecurity Act of 2009, would require that any renewals or modifications made to DOC contracts regarding the operation of IANA be subject to review by a Cybersecurity Advisory Panel. S. 773 would also require NTIA to "develop a strategy to implement a secure domain name addressing system."

Derived From: NIST Special Publication (SP) 800-81, Secure Domain Name System (DNS) Deployment GuidePDF, Exec. Sum. May 2006

Because DNS data is meant to be public, preserving the confidentiality of DNS data pertaining to publicly accessible IT resources is not a security objective. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. Availability of DNS services and data is also very important; DNS components are often subjected to denial of service attacks intended to disrupt access to the resources whose domain names are handled by the attacked DNS components.

DNS is susceptible to the same types of vulnerabilities (platform, software, and network-level) as any other distributed computing system. However, because it is an infrastructure system for the global Internet, it has the following special characteristics not found in many distributed computing systems:

Because of these characteristics, conventional network-level attacks such as masquerading and message tampering, as well as violations of the integrity of the hosted and disseminated data, have a completely different set of functional impacts, as follows:

Based on these functional impacts, the deployment guidelines for secure DNS presented by NIST consist of the following generic and DNS-specific recommendations:

(ii) Secure the Domain Name System. DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains. The October 21, 2002 attacks on the core DNS root servers revealed a vulnerability of the Internet by degrading or disrupting some of the 13 root servers necessary for the DNS to function. The occurrence of this attack punctuates the urgent need for expeditious action to make such attacks more difficult and less effective. - U.S. National Strategy to Secure Cyberspace , February 2003 p. 30

DNSSEC

DNS Security (DNSSEC) refers to the addition of data authentication and integrity protection to the DNS protocol. This is accomplished by the inclusion of public keys and the use of digital signatures to DNS information.

DNSSEC is designed to

DNSSEC does not

Administrative requirements for DNSSEC include

DNSSEC implementation concerns include

Currently, DNS Security is still in the experimental stage. There are currently several experimental tests of secure DNS zones. [NIST]

DNSSEC Deployment Status
RIPE NCC Zone by Zone as requested
dot ORG Testbed
Netherlands  
Sweden  
Japan  
Verisign dot net  

Trust anchor - signed areas within the DNS hierarchy without the whole hierarchy being signed. Where foo.acme is signed but .foo is not yet signed.

DNSSEC Documentation

DNSSEC Current Drafts

DNSSEC Status

  • 2005 Proposed Standard
  • Specs and Software exist. TLD deployment has begun.
  • Sweden (.se) and Bulgarian TLDs are reportedly operational.
  • .ARPA signed by IANA pursuant to IAB instruction
  • RIPE's portion of in-addr.arpa is signed
  • .ORG, .COM, and .NET have test beds
  • Others are in progress (.AERO)
  • Implementing .gov
  • DNSSEC is apparently a fed procurement spec (TCP/IP, Y2K, and OSI were all fed procurement specs)
  • Browser and desktop will take a while. About half of root servers are ready; they all have to be ready.

US Goverment Activity

  • DHS
  • COMMERCE
    • NTIA
    • Press Release : NTIA Seeks Public Comments for the Deployment of Security Technology Within the Internet Domain Name System For Immediate Release: October 9, 2008 WASHINGTON--Commerce's National Telecommunications and Information Administration (NTIA) today issued a Notice of Inquiry seeking public comments regarding the deployment of Domain Name and Addressing System Security Extensions (DNSSEC) into the Internet's DNS infrastructure, including the authoritative root zone.   Comments are due by November 24, 2008.  The Notice of Inquiry is available online at www.ntia.doc.gov .

      "NTIA is committed to preserving the security and stability of the DNS," Acting NTIA Administrator Meredith Attwell Baker said. "In light of existing and emerging threats to the Internet DNS, the time is ripe to consider solutions such as DNSSEC.  As we consider deploying this technology in the root zone, it is critical that we get feedback from all the interested stakeholders."

      Background

      The DNS is a critical component of the Internet infrastructure, which is used by almost every application to associate domain names with the Web addresses required to deliver information on the Internet.  The accuracy, integrity, and availability of the information supplied by the DNS are essential to the operation of any system or service that uses the Internet. 

      Over the years, a number of vulnerabilities have been identified in the DNS protocol that threaten the accuracy and integrity of the DNS data and undermine the trustworthiness of the system.  In particular, due to technical advances, vulnerabilities in the existing DNS have recently become easier to exploit.  Malicious parties may use these vulnerabilities to distribute false DNS information, and to improperly re-direct Internet users.

      DNSSEC was developed to mitigate these vulnerabilities.  Accordingly, the Department is exploring the deployment of DNSSEC at the top level of the DNS hierarchy, known as the root zone.

      NTIA is responsible for the development of the domestic and international telecommunications policy of the Executive Branch.

    • NIST
  • NSF
  • FCC

Links

Papers

News

  • ICANN Warns Firms Of Backdoors, Newsbytes 2/13/02

  • ICANN Appoints Security Chief, Newsbytes 2/13/02

  • ICANN: To Serve And Protect, Wired 11/13/01

  • ICANN Scraps conference agenda, goes big on security, Register 11/7/01

  • ICANN Volunteers for Homeland Defence, Register 10/1/01

  • ICANN to focus on Web Security, CNEWS 9/28/01

  • ICANN To Review Security of the Internet, IWeek 9/28/01

  • Internet overseer to focus on routing system's security at next meeting, Nando 9/28/01

  • © Cybertelecom ::