DNS security has been a hot topic this summer, ever since the news broke that security researcher Dan Kaminsky had discovered a new flaw in the system. That particular issue has since been patched, but the announcement refocused attention on the DNS protocol and its many security shortcomings. Now, the United States government has announced that all .gov domains will begin to transition to the secure DNS protocol known as DNSSEC, and must complete the adoption process by December 2009. .gov is the second gTLD to announce such a switch; .org announced it would convert to DNSSEC in late July of this year.

The primary purpose, and main security feature, of the DNSSEC protocol is its ability to protect users from DNS cache poisoning. Poisoned DNS servers have been fooled into returning false information in response to a DNS lookup request. A client querying a poisoned DNS server for the location of any particular website, for example, might actually receive information that aims it straight at a different, malware-contaminated site. Part of what makes DNS cache poisoning such a nasty attack vector is that the user, client, and DNS server all believe they have acted appropriately. A user presented with a page of hot barnyard action when he or she originally attempted to reach ToonTown may, in fact, conclude that the website has been hacked or compromised, and avoid it in the future.

This flaw exists because the DNS protocol is the ultimate Pollyanna. DNS inherently trusts everyone and is not capable of evaluating or classifying sources into trustworthy/untrustworthy categories. DNSSEC solves this problem by requiring that all DNS responses be digitally signed. This allows the DNS server to check and confirm that the information it's about to return to the client actually points at the address it's supposed to point at.

The government's decision to adopt DNSSEC is an important step toward universally rolling out the protocol, but there's still a great deal of work ahead before that can happen. DNSSEC can only be truly effective if it's widely adopted, but switching from DNS to DNSSEC isn't trivial, and it isn't cheap. There are also a number of questions regarding when the .com and .net gTLDs will adopt DNSSEC, and no clear timeline for when they might do so. The National Telecommunications and Information Administration (NTIA) has stated that it recognizes the importance of DNSSEC, but will take no actions that might compromise the stability or efficiency of DNS.

The questions don't stop there. If the root servers are signed, who holds the keys, and what security measures would be considered appropriate to guard against malicious/illegal use of said keys? Is ICANN sufficiently detached from the US government to be trusted with such a responsibility, or does the situation call for a third-party contractor? It's also important to remember that DNSSEC is designed to solve a particular problem and is not a security blanket that will, in and of itself, make the Internet "safe." While it does provide a certain amount of indirect protection against DoS attacks, for example, DNSSEC does not encrypt data, and it can't protect against any false assumptions a user might make.

At the very least, the government's decision to adopt the security standard puts indirect pressure on any gTLD's to adopt it as well. The more widespread adoption is, the more effective the standard can be, but even if .com and .net leap aboard tomorrow, full-scale deployment could still take years. One does not secure Internet simply with the flick of a switch, however enticing such a solution might be.

Further reading

NetworkWorld: "Feds tighten security on .gov"