According to Wikipedia “The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality”.
Operators of the Internet’s authoritative root zone last week completed deployment of enhanced security protocols at the top level of the Domain Name System. The Internet’s 13 root zone DNS servers have been digitally signed using the DNSSEC since May. On July 15 the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests.
Operators of the Internet’s authoritative root zone last week completed deployment of enhanced security protocols at the top level of the Domain Name System. The Internet’s 13 root zone DNS servers have been digitally signed using the DNSSEC since May. On July 15 the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests.
Digitally signed responses to DNS queries that can be cryptographically validated are more difficult to spoof or manipulate. This can help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware.
However, using DNSSEC not a complete solution to the DNS security infrastructure. The TLDs like .com and .net have yet to be signed. .gov and .org were signed in 2009. There is still a lot of work to be done on all of the intervening infrastructure from DNS servers, firewalls and other network equipment that processes/passes DNS, host stub resolvers, and DNS registries will have to support DNSSE. Then there still needs to be a reason to use DNSSEC over SSL/TLS since both protocols can positively identify and authenticate a host.
However, none can doubt about the utility of this first step that would go a long way in ensuring secure and safer DNS uses. With the increasing uses of DNS for malicious purposes, it is very important that we must use internationally accepted uniform standards in this regard.
However, using DNSSEC not a complete solution to the DNS security infrastructure. The TLDs like .com and .net have yet to be signed. .gov and .org were signed in 2009. There is still a lot of work to be done on all of the intervening infrastructure from DNS servers, firewalls and other network equipment that processes/passes DNS, host stub resolvers, and DNS registries will have to support DNSSE. Then there still needs to be a reason to use DNSSEC over SSL/TLS since both protocols can positively identify and authenticate a host.
However, none can doubt about the utility of this first step that would go a long way in ensuring secure and safer DNS uses. With the increasing uses of DNS for malicious purposes, it is very important that we must use internationally accepted uniform standards in this regard.