maxkabakov – Fotolia
The DNS protocol was designed in the earliest days of the internet to allow names to be used instead of IP addresses, like techtarget.com instead of 172.30.128.56. Unfortunately, security features were not built into the DNS protocol because security wasn’t a concern at that time. Attackers have found many ways to take advantage of DNS by forging DNS responses and otherwise tampering with DNS to cause victims to unknowingly be routed to the wrong destinations.
The Domain Name System Security Extensions (DNSSec) were developed as an add-on to the DNS protocol to stop these types of threats. Basically, DNSSEC adds digital signatures to DNS responses. With DNSSEC, when a computer sends a DNS query and gets a response back, the computer first verifies the digital signature in the response to make sure it is legitimate and hasn’t been tampered with.
At its core, DNSSEC is a simple concept — but implementing it is far more complicated. It relies on all the keepers of DNS records implementing and maintaining public key cryptography and DNSSEC features for their DNS servers. Public key cryptography can be a particularly challenging and complex area of security. DNSSEC also has a chicken-and-egg problem in that having DNSSEC-enabled servers isn’t beneficial unless client computers (servers, laptops, smartphones, etc.) are also DNSSEC-enabled. But there’s not much motivation for client computers to use DNSSEC unless the DNS servers already support it.
After more than ten years, DNSSEC is still not that widely used. The U.S. government has pushed for DNSSEC adoption since 2006, when the National Institute of Standards and Technology (NIST) released the original Special Publication (SP) 800-81, “Secure Domain Name System (DNS) Deployment Guide.” The publication was intended to help both U.S. government agencies and other organizations better understand DNS security concerns and how to address them. That included providing detailed explanations of how DNSSEC works and making recommendations on how to implement it. Since that time, NIST has updated SP 800-81 twice, with the latest version released in 2013.
A few years later, the government’s Office of Management and Budget (OMB) released a memo requiring federal agencies to deploy DNSSEC. NIST updated SP 800-53 in 2010 to require the use of DNSSEC for high-impact government systems. The next version of SP 800-53, released in 2013, greatly expanded the requirements by mandating DNSSEC use for all U.S. government systems, regardless of impact level.
While the NIST publications and the OMB memo have made a significant impact on U.S. government DNSSEC adoption, in 2017 there were still government domains not using DNSSEC. However, over 90% do support it and were not found to have any errors during the independent testing. This demonstrates that adding on DNSSEC to the DNS protocol is feasible to implement and maintain in the real world. Other organizations should consider following the example set by government agencies and implementing DNSSEC for their own servers and clients.
E-Handbook: How to best secure DNS? There’s more than one approach
Up Next
Few aspects of the internet are as crucial as the domain name system. It may be that a ‘passive’ approach to DNS security is the most effective approach.
Securing the DNS protocol is no joke. Learn what the DNS Security Extensions are and the efforts the United States government is taking to push DNSSEC adoption.
Get up to speed fast on means and methods for reducing or eliminating security-related issues in DNS, an integral service upon which the internet depends.
The challenges of managing networks during a pandemic prompted many organizations to delay SD-WAN rollouts. Four trends, however,…
5G touts better security controls than 4G, including stronger encryption, privacy and authentication. But enterprises need to …
Fixed wireless access, increased bandwidth, faster cellular speeds and new technology enablement in vertical markets are just …
What’s happening in the metaverse? More than you might think. Read about three areas for growth, the concept of spatial computing…
A BPM approach to transformation enables companies to continuously improve and reinvent their business processes, injecting …
The job is as big and challenging as ever. In 2024, CIOs will be asked to find business value in GenAI, mitigate AI risks and …
There are significant differences between the various copilots that Microsoft has brought to market. Find out details about two …
Copilot for Microsoft 365 offers AI-powered functionality to users, but there’s more to consider before installing it. Data …
The simplest way to fix a broken Windows 11 registry is to restore a backup, but that isn’t always possible. Find out different …
Cloud readiness, storage costs, network lag and metrics can make or break the choice to move data, applications and workloads to …
Hybrid cloud’s benefits are many and varied but so are the security issues surrounding integration, compatibility, governance, …
For businesses contemplating the advantages and disadvantages of their applications living in a distributed cloud infrastructure,…
The Asia-Pacific Data Centre Association will advocate for policies to drive the security and resiliency of datacentres and …
Almost two-thirds of organisations said their responsible AI practices and policies were mature or they had taken steps towards …
New investigation will examine potential crimes by the Post Office in its recovery of money from subpostmasters accused of theft …
All Rights Reserved, Copyright 2000 – 2024, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
About The Author
More Stories
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation
Final Results of the 2026 Internet Society Board of Trustees Elections and IETF Selections
Community Snapshot—March