Executive Summary

The Internet’s underlying addressing system is undergoing a worldwide foundational sea-change, transitioning from its outdated and insecure legacy design to a new, robust architecture which will help protect citizens, business and government from identity theft and fraud. The DotAsia Organisation and its technical service provider, Afilias, are leading the industry with the widespread deployment of DNSSEC, an extension to the Internet’s existing DNS Protocol that will bring an unprecedented degree of trust and confidence to Internet commerce, communications and e-government. As a consequence of this initiative, the .Asia TLD will gain an important security enhancement that will set the stage for the next decade of Internet innovation.

Introduction

The Domain Name System (DNS) is the Internet’s primary addressing mechanism. Used billions of times every day, it is responsible for translating human-readable strings such as registry.asia into the difficult-to-remember numeric IP addresses that networked computers use to find each other. Every time a user visits a website, potentially dozens of DNS transactions are required in order to fetch the requested content and display it in their browser. Every e-mail sent relies upon the DNS to find its intended recipient. Stable, reliable and trustworthy DNS resolution is the most critical component of virtually every online interaction, vital to not only billions of dollars of international commerce but also to the reliable exchange of information between governments and their citizens.

Unfortunately, the DNS protocol is an aging technology and even pre-dates the creation of the Web itself. Because it was designed based on an inherent model of trust without the foreknowledge of the demands that would eventually be placed upon it and potential malicious things it would be used for, the DNS we know today lacks some key security features that, ideally, should have been baked-in from day one. Specifically, until the arrival of DNSSEC, the DNS lacked a native method by which a Web user could be assured that the addresses they type into their browser address bar are really where they end up going. Without DNSSEC, certain techniques created by malicious hackers can cause domain names to be “hijacked” to redirect users without the users ‘ knowledge and with no ability for the user to assert control to get out of that situation.

until the arrival of DNSSEC, the DNS lacked a native method by which a Web user could be assured that the addresses they type into their browser address bar are really where they end up going.

DNSSEC was developed as a solution to this problem. This new protocol, which was in development for over a decade, enables cryptographic digital signatures to be added to DNS records, allowing addresses to be automatically verified. This means DNS resolvers, such as those used by ISPs, can be certain that they send their users to the correct Web or e-mail server. Due to its verifiable signatures, DNSSEC eliminates the possibility of DNS data being intercepted and fraudulently manipulated as it traverses the network between sender and requester. When users attempt to visit the site of their bank or a government service for example, they can be assured that Web page they see really does belong to their bank of government.

The DNS Risk Landscape

Currently, Internet domain names can be vulnerable to a type of attack called “cache poisoning”. These attacks take advantage of the fact that some DNS resolvers, such as those deployed at ISPs, usually temporarily store frequently requested DNS records for performance purposes. Using various methods, hackers are sometimes able to inject false data into these caches, which has the effect of redirecting users of the compromised resolver to the server and content of the hacker’s choice.  A sophisticated cache poisoning attack could be combined with a “phishing” attack and used, for example, to steal online banking passwords by hijacking Web traffic and presenting users with a fraudulent copy of a bank’s website.

The so-called Kaminsky But was considered such a grave threat to global trust in the Internet that an unprecedented secret effort was launched among the key Internet infrastructure providers to quickly upgrade many of the DNS’s core components, before the nature of the vulnerability fell into the hands of criminals.

In 2008, this type of attack garnered global attention when a security researcher called Dan Kaminsky exploited a fundamental flaw in the DNS protocol that would make widespread cache poising a much more trivial matter. The so-called Kaminsky But was considered such a grave threat to global trust in the Internet that an unprecedented secret effort was launched among the key Internet infrastructure providers to quickly upgrade many of the DNS’s core components, before the nature of the vulnerability fell into the hands of criminals. While this effort was successful in introducing measures that substantially mitigated the potential risks of the flaw, it did not eliminate them entirely, and there can obviously be no guarantee that similar vulnerabilities will not be discovered in future.

DNSSEC is designed to solve the cache poisoning problem, making attacks based on future Kaminisky-style flaws extremely unlikely to be successful, by adding cryptographic signatures to DNS records.  The system uses a private-public key pair encryption mechanism similar to other systems already in wide use on the Internet. When a resolver requests DNS information about a domain name protected by DNSSEC, the answer it receives in responses is digitally signed using a private cryptographic key belong to the domain’s owner. The resolver is then able to validate the signature using the domain’s corresponding public key, which is published by the relevant DNS server, ensuring that the user is then directed to the correct resource.

DNSSEC Deployment is Accelerating

Signing the DNS root was the tipping point in DNSSEC deployment, spurring domain name registries and registrars (the sellers of domain names to the public) into action. As of the start of November 2010, 53 zones, including country codes TLDs such as .BR (Brazil) .US (United States) and .UK (United Kingdom) were signed and DNSSEC-enabled.

Because the DNS is a massively distributed, hierarchical system, DNSSEC will be most useful when it achieves ubiquitous global deployment, all the way from the DNS root itself down to the humble desktop browser application. A signed DNS answer purporting to come from registry.asia is only trustworthy if you can ensure that it really was sent by registry.asia. This means that the parent domain of registry.asia in the DNS hierarchy, in this case .ASIA, also needs to be signed using DNSSEC. In turn, at the top of the DNS chain, the root server itself also needs to be signed in order to enable .ASIA’s identity to be authenticated. The signed root is known as the “trust anchor”.

The DNSSEC implementation projects require to make this level of verification possible on an end-to-end basis are already underway. In July 2010, ICANN, VeriSign and the US Department of Commerce signed the DNS root for the first time, enabling all top-level domain (TLD) registries to register their DNSSEC keys in the root and therefore becoming trusted by DNSSEC-enabled resolvers. Major TLDs including .ORG and .INFO, along with dozens of country-code domains, are already signed and DNSSEC-compatible, and dozens more are expect to follow over the coming year.

Signing the DNS root was the tipping point in DNSSEC deployment, spurring domain name registries and registrars (the sellers of domain names to the public) into action. As of the start of November 2010, 53 zones, including country codes TLDs such as .BR (Brazil) .US (United States) and .UK (United Kingdom) were signed and DNSSEC-enabled.

Several domain registrars already support DNSSEC, and a recent survey conducted by Afilias discovered that 69 percent of registrars currently plan to offer DNSSEC services to their customers before the end of 2011.

In 2011, the main top-level domains in the root will have deployed DNSSEC, laying the foundation for Internet Service Providers (ISPs), application developers, and enterprises to begin to utilize DNSSEC to bring this security to the end-user. Each step in the “chain of trust” has to both enable and utilize DNSSEC for it to be truly effective.

The Value of DNSSEC

Barely a week passes in which Internet users are not exposed to news stories recounting the dangers of doing business online. Over time, these negative perceptions have the potential to harm consumer confidence in e-commerce and in the quality of the information and services they find online. DNSSEC is one way to help reverse this harmful trend, in much the same way the “padlock” icon or color-coded browser address bar have been successfully communicated to users as representing encrypted or identify-verified websites.

DNSSEC enables Internet users to enjoy7 unprecedented levels of trust when they communicate or transact online. Because DNSSEC is handled entirely “in the cloud”, for the average Web surfer the changes will at first be mostly transparent. But it is expected that in the near future desktop applications will be DNSSEC-aware, enabling the security benefits of signed domains to be conveyed to users in much the same way as SSL-encrypted Web pages are today. When an Internet user engages in an e-commerce transaction or takes advantage of an e-government service, they will do so with the knowledge that they are not unwittingly handling over their sensitive information to criminals.

DNSSEC will also create new opportunities for economic and technological innovation in the .ASIA zone. Registrars will be able to offer additional, premium registration services, ISPs will have cause to turn on DNSSEC in their resolvers increasing their value proposition to subscribers, and signed domain owners will be able to participate in future applications that leverage DNSSEC as an enabling platform.

When a TLD begins to support DNSSEC it joins a global community of trusted top-level domains. Signing a zone is a badge a TLD operator takes the security of its name-space seriously on the global stage.

When a TLD begins to support DNSSEC it joins a global community of trusted top-level domains. Signing a zone is a badge a TLD operator takes the security of its name-space seriously on the global stage.  For the TLD’s regional users, a signed zone will send a clear signal that the region’s Web sites are safe places to do business and look for information increasing confidence in locally based businesses and government services.

Next Steps

Afilias is fully committed to DNSSEC. In August, it announced Project Safeguard, a strategy to provide comprehensive DNSSEC coverage across the TLDs it serves. The movement towards a more trustworthy Internet through DNSSEC is a fundamental, foundational change and Afilias is taking a leading role in making it happen.

As a key part of Project Safeguard, Afilias will implement DNSSEC in .ASIA’s technical infrastructure and manage the cryptographic keys on an ongoing basis at no additional charge to the registry manager. Our experience with DNSSEC is extensive; as the registry services provider for .ORG, we tested the technology comprehensively for over two years before finally signing the zone in June 2010. We have since also signed .INFO. Afilias has unparalleled experience with an insight into the effects of operating large signed zones.

Afilias is leading the industry not only terms of deployment but also in terms of outreach to other elements of the Internet community that are in process of developing their DNSSEC strategy. As part of Project Safeguard, it has launched a year-long training initiative designed to ease the process of integration between registrars and the Afilias registry when DNSSEC is implemented and bringing the benefits of the technology to a broader audience.

The transition to DNSSEC is a necessary component of the next-generation Internet. The technology will enable more-secure applications, create economic benefits for businesses, and increase confidence in the Web among Internet users, For .ASIA, the implementation of DNSSEC shows that the DotAsia Organisation takes its security responsibilities seriously on the global domestic stage.

Article provided by Afilias