With the signing of the root zone in July, organizations have to get serious about implementing DNSSEC, which provides DNS authentication throughout the hierarchies of the Internet. But DNSSEC also layers in significant complexity and management overhead. In particular, it requires continuous maintenance in two areas: the ongoing signing of DNS records to ensure that signatures never expire and secure, efficient management of encryption keys. These challenges make DNSSEC managed services an attractive option to in-house implementation.
Until now, DNS records only had to be changed when records were added or removed. Now DNSSEC adds keys to each zone, such as "acme.com," which generate signatures that will expire after a relatively short period (for example, a month). If they are not renewed, the record will be considered invalid. In short, acme.com will be broken. Government agencies are under particular pressure because of an Office of Management and Budget mandate to implement DNSSEC following the singing of the .gov top-level domain (TLD) in 2009. The expected signing of the .com and .net TLDs under the root zone in the first quarter of 2011 will clear the way for general adoption.
DNSSEC requires management of two sets of public-private key pairs, the Zone Signing Keys (ZSK) for each zone, which must be rotated frequently (say, weekly), and the Key Signing Keys (KSK), which only need to be rolled over every year or two. Key management has often been the deal-breaker that prevented organizations from implementing encryption on any significant scale, and it is essential for DNSSEC. Poor key management presents security risks, as keys are improperly secured, seldom changed, or shared among users. In addition, data can be made inaccessible, or, in the worst case, permanently irretrievable if keys are lost or corrupted.
This opens the door to managed DNSSEC. A number of managed DNS service providers have already announced DNSSEC services as part of their offerings. For example, Akamai, whose core business is focused on Web content and application optimization, has added DNSSEC support to its Enhanced DNS service. "Akamai offloads all the key management and associated rotation of cryptographic materials from customer so they can focus on the core business," says Willie Tejada, Akamai VP of application and site acceleration. "We've been doing it for some time with our SSL network and have had key management infrastructure in place for some years." Akamai charges in blocks of zones, starting at $4,000 per month for 50 zones.
BlueCat Networks, which sells IP address management, DNS and DHCP software and appliances, announced Proteus Cloud Services, which includes DNSSEC support for these integrated functions. The services are hosted by Afilias, a global provider of Internet infrastructure services, which is beta testing its own OneClick DSNSEC key management service combined with its managed DNS service. BlueCat charges for DNSSEC-supported services by query, starting at $300 per month.
Meanwhile, VeriSign plans to re-launch its own managed DNS services with DNSSEC support in 2011 to coincide with the signing of the .com and .net zones. "VeriSign can protect keys in a way enterprises can't, based on experience with SSL certs, and as a service provider we produce economies of scale," says VeriSign's Dan Larson, VP of DNS research. "VeriSign has racks of hardware security modules (HSMs). For a typical enterprise, that would be overkill from cost, overhead and management perspectives."
These service providers automate signature generation and key management. However, while many organizations will be glad to off-load key management headaches, they may be reluctant to outsource it unless they are confident the service provider is managing keys securely. The three service providers we spoke to cited their adherence to NIST guidelines for secure DNS deployment and management--Secure Domain Name System (DNS) Deployment Guide--which detail best practices for key rollover and security. The dnssec.net website is also an excellent source of DNSSEC news, information and advice.
Akamai, for example, rotates zone signing keys weekly and key-signing keys annually. The new key overlaps with the old so there will be no interruption. The existing key signs the balance of the zone as the new key is given time to propagate. Once the old key is retired, the rotation process begins again. Signatures last three days, and zones are re-signed at least daily to ensure that signatures do not reach expiration.
As a practical matter, look for providers' record with encryption services--SSL/TLS, in particular--and associated key management. Enterprises should also consider DNSSEC's impact on their infrastructure. DNSSEC adds considerable packet overhead, putting an extra burden on processing and increased bandwidth. This may make acceleration services more attractive, especially in performance-sensitive transaction environments. Processing and bandwidth requirements should be evaluated, but VeriSign's Larson says enterprises that have invested heavily in DNS should not anticipate significant added infrastructure costs; their existing hardware and networks should be able to absorb the extra demands.
Two years after Dan Kaminsky's revelation of a serious vulnerability that leaves DNS servers open to compromise through cache poisoning attacks, DNSSEC is about to become a staple for Internet security. "DNS is now a target--Kaminsky was a big surprise," says Luc Roy, BlueCat VP of product management and marketing. "This is your brand, your online presence, the lifeblood of communication. DNSSEC is inevitable, and enterprises should probably get on sooner rather than later."
