Protecting the DNS protocol: How DNSSEC can help
Securing the DNS protocol is no joke. Learn what the DNS Security Extensions are and the efforts the United States government is taking to push DNSSEC adoption.
The DNS protocol was designed in the earliest days of the internet to allow names to be used instead of IP addresses, like techtarget.com instead of 172.30.128.56. Unfortunately, security features were not built into the DNS protocol because security wasn't a concern at that time. Attackers have found many ways to take advantage of DNS by forging DNS responses and otherwise tampering with DNS to cause victims to unknowingly be routed to the wrong destinations.
The Domain Name System Security Extensions (DNSSec) were developed as an add-on to the DNS protocol to stop these types of threats. Basically, DNSSEC adds digital signatures to DNS responses. With DNSSEC, when a computer sends a DNS query and gets a response back, the computer first verifies the digital signature in the response to make sure it is legitimate and hasn't been tampered with.
DNS security in the DNS protocol: Simple, except …
At its core, DNSSEC is a simple concept -- but implementing it is far more complicated. It relies on all the keepers of DNS records implementing and maintaining public key cryptography and DNSSEC features for their DNS servers. Public key cryptography can be a particularly challenging and complex area of security. DNSSEC also has a chicken-and-egg problem in that having DNSSEC-enabled servers isn't beneficial unless client computers (servers, laptops, smartphones, etc.) are also DNSSEC-enabled. But there's not much motivation for client computers to use DNSSEC unless the DNS servers already support it.
Efforts to expand use
After more than ten years, DNSSEC is still not that widely used. The U.S. government has pushed for DNSSEC adoption since 2006, when the National Institute of Standards and Technology (NIST) released the original Special Publication (SP) 800-81, "Secure Domain Name System (DNS) Deployment Guide." The publication was intended to help both U.S. government agencies and other organizations better understand DNS security concerns and how to address them. That included providing detailed explanations of how DNSSEC works and making recommendations on how to implement it. Since that time, NIST has updated SP 800-81 twice, with the latest version released in 2013.
A few years later, the government's Office of Management and Budget (OMB) released a memo requiring federal agencies to deploy DNSSEC. NIST updated SP 800-53 in 2010 to require the use of DNSSEC for high-impact government systems. The next version of SP 800-53, released in 2013, greatly expanded the requirements by mandating DNSSEC use for all U.S. government systems, regardless of impact level.
While the NIST publications and the OMB memo have made a significant impact on U.S. government DNSSEC adoption, in 2017 there were still government domains not using DNSSEC. However, over 90% do support it and were not found to have any errors during the independent testing. This demonstrates that adding on DNSSEC to the DNS protocol is feasible to implement and maintain in the real world. Other organizations should consider following the example set by government agencies and implementing DNSSEC for their own servers and clients.