I must admit that it is hard to write about DNSSEC in the current economic environment. But new technologies are one of the keys to generating wealth and that is the only way we get the economy back on its feet. The web is a huge enabler for business and lifestyle efficiency. Making it secure provides the confidence needed to more fully utilize this wonderful communications tool.
The Kaminsky cache poisoning vulnerability is not the only reason for widespread adoption of DNSSEC. But you may be asking what the heck is DNSSEC? For that matter, what is DNS?
For a technical overview of DNS, DNSSEC, and the Kaminsky vulnerability start here: DNSSEC - DNS Security Extensions and here: An Illustrated Guide to the Kaminsky DNS Vulnerability. I’m going to keep this light and focus on benefits.
The DNS database is the phone book and the “Operator” for the Internet. When you visit a web site or send an email, you use the DNS to find the web or email server that your browser or email client needs to reach. Internal networks are similarly dependent upon DNS, as each PC, internal database, IP telephone and network printer within an organization has an IP address; IT infrastructure depends upon DNS, it is mission critical.
But the DNS is not secure, meaning users cannot be sure that they are communicating with the correct web or email server. They cannot know this with certainty today because there is no because there is no way to trust the answers that the DNS provides.
How will DNSSEC impact Internet users? It makes Internet communications more secure by ensuring that the responses from the DNS came from the authorized source and have not been altered in transit. What does this mean?
1. You will know with certainty that you have arrived at the correct web site. Today you can’t be sure. It resolves the Kaminsky vulnerability.
2. You will be able to trust SSL and VPN. Today the cannot be trusted with certainty.
3. It provides an essential trust anchor for cloud computing.
4. DNSSEC closes a DNS security hole for DKIM, or Domain Keys Identified Mail. Today email senders can be spoofed, resulting in phishing emails and SPAM. Also, today if email is not encrypted its contents can be spied upon. Authentication of email senders will substantially reduce if not eliminate SPAM and phishing emails.
5. Voice over Internet Protocol(VoIP) and other applications critically need DNSSEC authentication. More on this in a later post.
The world needs DNSSEC. Governments, businesses and organizations should do everything in their power to make sure their customers and constituents know with confidence that they can be reached securely through the web. The cost is trivial and the benefit for internet users is huge.
Comments