Public key to secure DNS servers
By Stewart Mitchell
Posted on 15 Jul 2010 at 09:32
Internet infrastructure organisation RIPE NCC claims it has reached a milestone with the publication of a root zone key that will enable a more secure web.
The organisation said the key would enable widespread deployment of the Domain Name Server Security Extensions (DNSSEC) protocol, which guarantees that a web address typed in by users will take them to the genuine site.
“With services that are public key secured no-one can tamper with the traffic,” Daniel Karrenberg, chief scientist of the RIPE, told PC Pro. “Trust and identity are vital areas for the internet and the Domain Name System (DNS) was a weak link.”
Trust and identity are vital areas for the internet and the Domain Name System was a weak link
DNS is an integral part of the backbone of the internet, but has no inherent security features, which has led in the past to attacks such as DNS cache poisoning. These sort of attacks allow hackers to redirect users to fake website addresses, where they might be exposed to malware or be asked to input personal details.
DNSSEC uses digital signatures to assure name servers that the DNS data they receive has not been intercepted or tampered with and is virtually invisible to end-users and, RIPE said, does not impact the speed at which a website loads.
All of the world’s 13 root name servers have gradually switched to a signed root since January this year, in preparation for today’s global roll-out.
The .uk and .org top level domains (TLDs) already use DNSSEC, but Karrenberg said he expected the security feature to be taken up by more TLDs and service providers in the coming months. To be effective, he said it needs to be employed at every level right down to ISPs.
“Consumers should ask their ISP to switch it on,” he said. “It doesn't cost anything other than a few man hours and it shows an ISP is using best practices. If you have a domain name you should go to the registrar and say you want to deploy DNSSEC.”
However, RIPE does admit that some internet users may need to upgrade router hardware to benefit from DNSSEC, because some routers can not handle the larger packet sizes generated by DNSSEC.
Despite the clear benefits, security experts are worried that the service won't trickle through the web infrastructure as hoped due to organisational apathy.
“It's going to be a phased roll-out, so it's really almost a pilot,” said Orla Cox, chief researcher at Symantec Security Response. “It's going to take a number of years to filter down and, as we have seen with IPv6, if no-one is forced to do anything about this then often they won't."
“In the end it should make the internet a safer place because it will stop attacks on DNS root servers, but it's early days yet,” Cox added.
Why not sooner rather than later?
Half a dozen ISPs provide DNS to 60%-70% of UK users so there is no reason for this to take years.
If PKI was implemented on mail server it would be possible to eliminate or at least control spam.
It seems sheer madness to have an industry that knows how to fix a problem but just doesn't bother doing it.
By milliganp on 15 Jul 2010
- Play it again: Berlin's Computer Game Museum
- Switching from iPhone to Android: what I miss, what I don't
- Tech City: Easy to score when you move the goalposts
- How to remove SkyDrive from the Windows 8.1 Explorer
- Switching from iPhone to Android? Switch off iMessage
- Why is Google pumping more money into Firefox?
- Sky Broadband Shield review
- Samsung Galaxy S4: how to double your battery life
- Motorola Moto G review: first look
- IBM Watson meets Willy Wonka
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet