At the 2012 International Conference on Cyber Security held at Fordham University in New York last month, ICANN’s Dr. Richard Lamb gave an important presentation before the all event’s attendees titled DNSSEC: A Game Changer. Cyveillance caught up with Dr. Lamb afterward and asked if he could share information about DNSSEC with our cyveillanceblog.com audience.
Cyveillance: Can you explain briefly what DNSSEC is using non-technical terms, and why it’s so important?
Richard Lamb: DNSSEC (DNS Security Extensions) secures the Internet’s global “phone book” (the DNS or Domain Name System). Every time you enter a web site (www.google.com) or email (firstname.lastname@example.org), your computer uses the DNS to convert the domain name (www.google.com or bar.com) into a number (IP address) which is what is actually used to connect to and communicate (just like a phone number) with web or email server on the Internet. The protocols behind DNS were designed back in 1983 and have little in the way of security built into them. Increased network and computer performance have made it easy to falsify DNS responses to return the wrong “phone number” and possibly send you to an impersonator. Dan Kaminsky, in 2008, demonstrated the ease to which this can be done and recent attacks on 4M computers have driven the point home. DNSSEC adds digital signatures to existing records that allow machines to validate DNS responses so that this sort of attack can’t happen.
Cyveillance: This sounds like a fundamental change in the way the Internet operates. Is that accurate?
Richard Lamb: Not really. DNS operates as it did before except now cryptographically generated digital signatures (just a few more bytes) are transferred alongside existing records to allow systems to detect any changes in the original record. However, for the Internet whose protocols have not changed for decades it’s a big change. So it was/is being deployed very carefully.
Cyveillance: Exactly who is going to be responsible for helping to get DNSSEC adopted as quickly as possible? Government? ISPs? Website owners? End users? Among those you mention, which do you prioritize when trying to get the word out?
Richard Lamb: End user demand is what will drive DNSSEC deployment and its eventual success. However, selling security to the end user has always been an uphill battle. Awareness building of domain name holders / website owners (content provider for the eyes) is therefore a key part of the adoption effort.
Organizations like ICANN continue to do a good job building awareness among ISPs and top level domain (e.g., .com, .se) operators and our own DHS has played a pivotal role in pressing for DNSSEC adoption in government through the funding of initiatives and the creation of a 2008 OMB mandate for all agencies under .gov. Other governments (e.g., Sweden, Brazil) also have initiatives encouraging the deployment of DNSSEC.
ISPs and Registrars (where you buy domain names from) have little incentive to support DNSSEC until it is widely deployed. This has led to a chicken and egg scenario with these entities often pointing to the lack of deployment as reasons for not supporting DNSSEC themselves. This has placed a priority on Website owners and end users to deploy DNSSEC on their web sites and demand greater security from providers. The hope is that market forces will then prevail resulting in wider support amongst Registrars and ISPs. COMCAST is an example of a large ISP that has fully deployed DNSSEC to help protects their customers. GoDaddy is an example of a large Registrar that supports DNSSEC for their domain name holders who want it.
Cyveillance: Do you think the average end user will ever notice the change?
Richard Lamb: Ideally, improved security should not be noticed by the end user. However, with the new source of trust that DNSSEC creates on the Internet, the end user should expect to see a range of applications that ease access control (e.g., login, WiFi roaming, etc…) and improve web site and email security.
Cyveillance: Is there any similarity in the push to move from IPV4 to IPV6? Which do you see happening first – complete IPV6 adoption or complete DNSSEC adoption?
Richard Lamb: That’s a great question. DNSSEC is often grouped with IPv6 and they are similar in the sense that they are both big protocol changes for the Internet. However, IPv6 is not backward compatible with IPv4. DNSSEC is. DNSSEC secures the DNS. IPv6 updates the routing layer.
Experts have said that IPv6 and IPv4 will coexist for many years to come.
The same will likely be true for DNSSEC as well. While many sites will have DNSSEC deployed on them, there will always be a portion of the web site owners who have little interest in security. Currently, I believe DNSSEC deployment has a slight lead over IPv6 deployment. The key is that for those organizations that do have an interest in maintaining the integrity of the information disseminated by their web site – DNSSEC is a big step.
Cyveillance: What advice would you give to those who are evangelizing within their organization for DNSSEC adoption?
Richard Lamb: Deploying DNSSEC on domain names owned by their organization and turning on DNSSEC on their internal resolvers would not only help protect staff from DNS redirection attacks but also demonstrate to the public that the organization takes security seriously. I would also point out that large ISPs like COMCAST have stepped up to support DNSSEC as well and point to the recent reports on the DNSChanger attacks. Finally, DNSSEC deployment on an organization’s domain names need not be expensive as demonstrated by various Registrar offerings like those from GoDaddy, VeriSign, and others.
Cyveillance: Any last thoughts?
Richard Lamb: I think two of the most interesting things about DNSSEC are 1) how it can be a platform for entrepreneurs from around the world to create a whole new range of innovative security applications and 2) how it is a classic example of the Internet’s borderless, bottom-up, cooperative approach to solving problems.