Public key to secure DNS servers

Enhanced security could hamper phishing attacks, but only if widely deployed

15 Jul 2010

Internet infrastructure organisation RIPE NCC claims it has reached a milestone with the publication of a root zone key that will enable a more secure web.

The organisation said the key would enable widespread deployment of the Domain Name Server Security Extensions (DNSSEC) protocol, which guarantees that a web address typed in by users will take them to the genuine site.

“With services that are public key secured no-one can tamper with the traffic,” Daniel Karrenberg, chief scientist of the RIPE, told PC Pro. “Trust and identity are vital areas for the internet and the Domain Name System (DNS) was a weak link.”

Trust and identity are vital areas for the internet and the Domain Name System was a weak link

DNS is an integral part of the backbone of the internet, but has no inherent security features, which has led in the past to attacks such as DNS cache poisoning. These sort of attacks allow hackers to redirect users to fake website addresses, where they might be exposed to malware or be asked to input personal details.

DNSSEC uses digital signatures to assure name servers that the DNS data they receive has not been intercepted or tampered with and is virtually invisible to end-users and, RIPE said, does not impact the speed at which a website loads.

All of the world’s 13 root name servers have gradually switched to a signed root since January this year, in preparation for today’s global roll-out.

The .uk and .org top level domains (TLDs) already use DNSSEC, but Karrenberg said he expected the security feature to be taken up by more TLDs and service providers in the coming months. To be effective, he said it needs to be employed at every level right down to ISPs.

“Consumers should ask their ISP to switch it on,” he said. “It doesn't cost anything other than a few man hours and it shows an ISP is using best practices. If you have a domain name you should go to the registrar and say you want to deploy DNSSEC.”

However, RIPE does admit that some internet users may need to upgrade router hardware to benefit from DNSSEC, because some routers can not handle the larger packet sizes generated by DNSSEC.

Despite the clear benefits, security experts are worried that the service won't trickle through the web infrastructure as hoped due to organisational apathy.

“It's going to be a phased roll-out, so it's really almost a pilot,” said Orla Cox, chief researcher at Symantec Security Response. “It's going to take a number of years to filter down and, as we have seen with IPv6, if no-one is forced to do anything about this then often they won't."

“In the end it should make the internet a safer place because it will stop attacks on DNS root servers, but it's early days yet,” Cox added.

Read more about: