FeatureDNSSEC: Securing the global infrastructure of the Internet
Section snippets
The lookup process
To better understand how DNSSEC works, it is important to explain the role of the DNS in the Internet address lookup process.
A root name server is the first step in translating, or resolving, human-readable host names into IP addresses. It does so by answering requests for records in the root zone, which come in the form of Internet users typing a website address, such as www.google.co.uk.
When a request is made, the root name server returns a list of authoritative name servers for the
Why is it important to sign the root?
Cache poisoning attacks allow hackers to interfere in the lookup process described above, placing a malicious website as a legitimate response to an end-user's query. Not only does this affect the individual user, but because DNS lookups do not happen for every request, due to information being cached, a single attack could potentially affect a number of end-users.
This is why, in order for DNSSEC to work, it requires a trust anchor. It is necessary to have a point in the DNS hierarchy that a
The role of ICANN on DNSSEC
ICANN is leading the DNSSEC initiative. To put an end to the risks posed by DNS attacks, ICANN is working with the Internet community, including domain name registries, registrars and all root name servers.
All of the world's 13 root name servers, including the K-root, which is operated by the RIPE NCC, have already deployed DNSSEC. The signing of DNSSEC at the root zone is administered by VeriSign, which also operates the A and J-root servers. The signing of the root zone started in January
DURZ and the DNSSEC trial stage
Following the signing of the J-root in May 2010, all root servers are now serving a Deliberately Unvalidatable Root Zone – or DURZ for short – which in practice means that root servers will return signed DNSSEC answers to queries asking for them.
The DURZ is important because the DNSSEC upgrade will attach a digital signature to every response from the root servers, where the DNS resolver software is configured to request signed answers to end-user website queries. These additional digital
Open DNSSEC
To help drive adoption of DNSSEC, the OpenDNSSEC software was created. Simply put, it takes in unsigned zones, adds the signatures and other records for DNSSEC and passes this data on to the authoritative name servers for that zone. This software aims to simplify the combination of DNS and digital signing, relieving the administrator of this task after a one-time effort of setting it up.
All DNSSEC keys are stored in a security module and can be accessed via PKCS#11, a standard software
Why DNSSEC?
DNSSEC provides an added layer of security for cache poisoning attacks, while other security solutions can help resolve more ‘visible’ hacker attacks, such as trojans and worms. Cache poisoning attacks are particularly dangerous, as once an end-user's computer has been infected with the malicious code, all future requests by that user's computer for the compromised web address will be redirected to the bad IP address.
Cache poisoning is especially dangerous when hackers target well-known and
About the author
Daniel Karrenberg is chief scientist at the Network Co-ordination Centre (NCC) of the Réseaux IP Européens (RIPE), where he heads the RIPE NCC's Science Group. The group researches, publishes and presents scientific and technical material and is involved in data collection and analysis. RIPE NCC is the not-for-profit organisation that supports the infrastructure of the Internet and operates the K-root name server. In the 1980s, Karrenberg helped to establish EUnet, which became
References (2)
DNSSEC
‘How many top-level domains are there?’, 1 March 2009, ICANN blog
Cited by (1)
Assuring interoperability between heterogeneous (IPv4/IPv6) networks without using protocol translation
2012, IETE Technical Review (Institution of Electronics and Telecommunication Engineers, India)
About the author
Daniel Karrenberg is chief scientist at the Network Co-ordination Centre (NCC) of the Réseaux IP Européens (RIPE), where he heads the RIPE NCC's Science Group. The group researches, publishes and presents scientific and technical material and is involved in data collection and analysis. RIPE NCC is the not-for-profit organisation that supports the infrastructure of the Internet and operates the K-root name server. In the 1980s, Karrenberg helped to establish EUnet, which became the first pan-European Internet Service Provider (ISP). In 1992, he helped to establish the RIPE NCC, the first of the world's Regional Internet Registries (RIRs). He has helped to shape the Internet address space distribution policy and also brought the second DNS root name server to Europe in 1997.