Signing The DNS Root Is Only One Step Forward

The DNS root zone was signed on July 15th, 2010. Did you feel it? Did you even notice? The root zone of Internet is now more secure, signed cryptographically w/ DNSSEC. Unless you are really focused on DNS, you probably didn't notice. Frankly, this is a milestone for ICANN and friends, but it's not particularly actionable today or the near future. Many other things have to happen before DNSSEC becomes useful for most of us, such as .com and .net being signed, registrars start supporting DNSSEC, DNS servers starting to support DNSSEC, workstations and other endpoints starting to support DNSSEC. It also needs to be widely deployed.

DNSSEC is one of those controversial protocols that some might say is a solution looking for a problem. It's no secret that DNS is wholly insecure and untrustworthy. There is no authentication or validation built in. Malware has changed how workstation DNS resolvers, aka stubs, resolve names to anti-virus and software update sites by modifying a local file. Attackers have taken administrative control of accounts at registrars like Twitter in 2009, changing the DNS server configuration. Attackers have poisoned DNS caches at ISPs.  DNS works because forging DNS records is  harder than you think, detectable in a short amount of time for a popular site, and there are other, easier ways to get valuable information from end users. Let's not forget the numerous attacks against DNS server software which has little to do with the DNS protocols, but is still pretty nasty.

The real question is what does DNSSEC get us? That is a much more subtle question. DNS is predicated on the fact that if I want you to reach a server I manage, I have to tell you where it is. Putting false information into DNS doesn't do me any good. There is an assumption of veracity because it doesn't make sense to lie in DNS ... unless you are a malicious attacker, that is. If an attacker wants to redirect traffic from a legitimate site to their site, or even through a proxy, then manipulating DNS is one way to do that. Perhaps not the easiest way, either. DNSSEC is supposed to provide to you an authoritative chain from the root, now signed, to the record that you requested. Some country TLDs like .se (Sweden) and .pr (Puerto Rico) have been doing this for a few years.

However, today, that chain is far from complete. The TLDs like .com and .net have yet to be signed. .gov and .org were signed in 2009. There is still a lot of work to be done on all of the intervening infrastructure from DNS servers, firewalls and other network equipment that processes/passes DNS, host stub resolvers, and DNS registries will have to support DNSSEC before you can put a check in the done column. We can celebrate when that starts happening. Then there still needs to be a reason to use DNSSEC over SSL/TLS since both protocols can positively identify and authenticate a host.

Look, I am glad the root zone is signed. ICANN should be proud of the accomplishment. It's the culmination of work from a lot of people, both paid and volunteer. But it is still only one step and doesn't change the landscape much, at least not for the foreseeable future.