Domain Name System Security Extensions is a set of specifications set forth by the Internet Engineering Task Force for securing various types of information that may be provided by the domain name system or DNS on IP networks. These extensions to the DNS give the resolvers or DNS clients some form of origin authentication, data integrity, or authenticated denial of existence. It, however, excludes confidentiality and availability. In short, the Domain Name System Security Extensions add some form of authentication to the DNS to make the entire system safer and more secure.
The Internet Engineering Task Force came up with these extensions to help minimize the vulnerabilities in the domain name system and protect it from the threats online. It can also increase the level of security of the entire Internet.
Traditionally, the domain name system locates domain names and matches them to IP addresses. It did not have any way of knowing whether the domain name data is from an authorized domain owner or if the data has been forged. This gives rise to the possibility of different kinds of online attacks. For instance, it makes the DNS vulnerable to DNS cache poisoning. With DNS cache poisoning, a hacker would be replacing a valid IP address that is cached in the DNS table and redirects it to a rogue address. If you try to access the Web site behind a compromised DNS, you will be taken to a different site where you could get worms, hijackers, spyware, and other malware.
With Domain Name System Security Extensions, lookup data is verified by using a series of digital signatures and cryptographic keys. It also verifies whether the connections are from legitimate servers or not.
It may sound new to most, but these specifications were published by the IETF in 2005, specifically contained in three Request for Comments documents from the IETF:
- RFC 4033: DNS Security Introduction & Requirements
- RFC 4034: Resource Records for the DNS Security Extensions
- RFC 4035: Protocol Modifications for the DNS Security Extensions
In fact, Brazil, the Czech Republic, Sweden, Bulgaria and Puerto Rico were among the early adopters of the specifications and have used them for their country top level domains (i.e., .br, .pr and .se).
However, while the Domain Name System Security Extensions is aimed at making DNS and the Internet in general more secure, implementation of these steps are not compulsory. And because implementation has been largely voluntary, uptake of the specifications have been very slow. There are also a couple of roadblocks as well, including the necessity of designing a standard that can scale the large size of the Internet and is backward compatible, avoiding zone enumeration when it is required or wanted. It is also quite complex to deploy the implementations across different DNS resolvers and servers. Then there is the debate as to who should own top level domain root keys, as well as confusion when it comes to standards for second level domains.
You can rely on Four Cornerstone to handle your Domain Name System Security Extensions implementations. Call us at 1 (817) 377-1144 and work with our team of experts to help you move ahead with Domain Name System Security Extensions.
Photo by Book Catalog.
