Michael Hayes CTO of B-4-U Inc. : Blackhat 2010 - Panel on DNSSEC Root Signing
July 2010 by Michael Hayes CTO, B-4-U Inc.
This panel is on the deployment of DNSSEC and was chaired by Rod Beckstrom, President and CEO of ICANN, with prominent participant from, Mark McLaughlin, President and CEO of VeriSign, Dan Kaminsky, Chief scientist for Recursion Ventures and Russ Housely, Chairman of the IEFT.
This group of companies along with the IEFT announced a major security thrust to improve the confidence for the internet user communities of individuals, enterprises and governments. This group of companies launched the initial signing of the DNS root for a number of .tld’s including, bg, .br. cat. .cz .lk. ma. .org, .tm and .uk, the plan to roll-out a signed DNS Roots over the next 12 to 24 months to a significant number of ICANN TLD’s, VeriSign will also roll out secure DNS to its .com and .net managed roots over the next 12 months.
So what does this mean to us as both individuals and to our organizations? This is the first successful change to how security on the internet is implemented. DNS was a protocol developed in the early years of the internet, developed originally in an environment that security was not a major consideration. In today’s hostile internet environment DNSSEC and the signing of the root directories allows increased confidence in the Domain Name Space. This helps lower the chance of un-authorized redirections, lowering Cash Poisoning and reducing some Man in the Middle Attacks.
Mark McLaughlin stated: “that the implementation of DNSSEC is an important move and leverages the value of DNS and that is core in the internet”. It allows the authentication of domain names and this in turn will increase the confidence that we trust the origination of the domain name we are requesting.
Russ Housely, Chairman of the IEFT identified that; “The Domain Name System DNS is used by billions of internet users. DNS can be thought as Protocols, Servers and a Network System that allows all domain names to be found. DNSSEC is the result of an incredible effort by 200+ individuals developing a tamper proof packaging for delivery of the domain name packets”.
Dan Kaminsky, Chief Scientist for Recursion Ventures outlines that, DNSSEC as a solution developed over the last 18 years, with the last two being a key development period, is truly significant. We are putting in a cryptographic process to correct a major flaw in the current internet architecture. DNS is a method for bootstrapping most applications, DNSSEC now has the ability to add Security to these applications in a number of areas, and this will add the ability for more cross organizational security applications.
Other key benefits will emerge over time, when a browser selects an address, in the near future there will be a method to validate that this is a good address and will result in reduced the spoofing. Browsers and search engines will have the ability to evolve to demonstrate to their users that this is a good address increasing confidence and trust in the internet. Certificate Authorities will also have a method to better ensure that the sites that they vet and the companies that they vet will be more in-line with their data. Finally as applications develop email will be better verified as to the origination of the source email, when customers receive emails from organizations like banks, they will have better confidence that this is the true source. DNSSEC is one of the key protocols to be update in the network, it is a journey and we are currently at day 14 of a 720 day journey to secure 50 plus percent of the internet domains. This is one of the most effective means to protecting the internet. Within the next 24 months, the most impactful, .TLD, will be signed with DNSSEC and a massive roll-out of new applications that take advantage of DNSSEC capabilities, will be roll out.