By Scott M. Fulton, III, BetaNews
November 24, 2008, 6:49 PM
The public comments period has officially ended for the NTIA's consideration of requiring domain name servers within the Internet's root zone to, at long last, encrypt their communications. Could there really be any opposition?
For well over a decade, the Internet has had available to it a security measure called DNSSEC, that would enable DNS hosts to request that communications between each other be encrypted, using public key cryptography. That way, all DNS messages could be traced back to a verifiable source, conceivably thwarting any possibility of a cache poisoning nightmare on the order of the one that security research Dan Kaminsky warned about last summer.
As with all major upgrades to a platform infrastructure, the big problem is rolling out changes in a way that's downwardly compatible with the older system. With a security upgrade, that's a problem because in any situation where security is an option, admins may choose the easiest system to control, and malicious users will always exploit the insecure option.
But last month, Microsoft revealed it planned to support DNSSEC with its next versions of Windows, including Windows 7. That could be a major boost for the long-standing security option's chances of being integrated into the infrastructure of the Internet, now that the National Telecommunications and Information Administration is considering public comments with respect to a proposal to implement DNSSEC at the root zone of the Internet.
"Over the years, a number of vulnerabilities have been identified in the DNS protocol that threaten the accuracy and integrity of the DNS data and undermine the trustworthiness of the system," reads an NTIA statement last month. "In particular, due to technical advances, vulnerabilities in the existing DNS have recently become easier to exploit. Malicious parties may use these vulnerabilities to distribute false DNS information, and to improperly re-direct Internet users. DNSSEC was developed to mitigate these vulnerabilities. Accordingly, the Department is exploring the deployment of DNSSEC at the top level of the DNS hierarchy, known as the root zone."
DNSSEC is not a particularly complex system. If you understand public key cryptography, you know that an unshared private key is used to encrypt communications between entities, but a public key that is a mathematical function of the private one, can decrypt them. The fact that it decrypts them serves as proof that the holder of the private key must have authored the communication, so the public key is shared with everyone. DNSSEC enables a DNS host to request a public key from a DNS server -- something the typical DNS server does not provide.
Conceivably, DNSSEC's biggest potential boon has been its ability to harden the security of IPsec, the encryption of all IP packets between server and client...which typically takes place after their DNS names have been resolved. Microsoft has supported IPsec for some time, and has embraced it with the latest Windows Server 2008. But for IP hosts to make use of it, they have to use some makeshift protocol for exchanging their public keys with each other -- a process that, frankly, looks a little obvious to anyone who happens to be sniffing for such transactions. If DNSSEC were in place, those public keys would be returned by the DNS servers instead, enabling hosts to use IPsec with one another without the unsightly social miscues.
