DNS security has been on the front burner in the networking industry ever since Kaminsky found his vulnerability in mid 2008.   Since then, consensus has formed that DNSSEC is a much needed mechanism to secure domains and resolution requests in the DNS.  Still, its adoption has been slow.  Google’s recent announcement regarding its public DNS service was even explicit about the omission of this important protection layer.

DNSSEC provides a powerful protection layer in the Internet.  With it, DNS data integrity is guaranteed, regardless of how the data is served.  For example, with DNSSEC deployed, the possibility of cache poisoning attacks effectively drops to nil. Of course, Nominum’s existing layered defenses have stopped Kaminsky cache poisoning attacks for several years now, but we can anticipate the course of even more powerful attacks in the future.

Given the industry progress that has been made with DNSSEC in the last 18 months, I have to wonder why Google did not ensure DNSSEC compliance before launching its Public DNS service.  On the other hand, I guess I shouldn’t be surprised.  Some hosted DNS service providers have recently announced “alternatives” to DNSSEC.  These alternative mechanisms, such as DNSCurve, have some industry support.  Still, they are not as effective as DNSSEC and accomplish very different things than DNSSEC.  There are also a few DNS offerings that seem to have abandoned DNSSEC altogether.  And some of these providers have started to promote a completely new protocol.  But seriously, at the bare minimum, all DNS providers should invest in the technological burden of making their software and services compliant with DNSSEC.  If they don’t, we (users, networks, schools and enterprises) should not use them.

Nominum’s DNS software has been DNSSEC compliant for years now.  And, in the recent years, we chose to invest further to make DNSSEC simple to deploy.  With these improvements, the deployment and management process for DNSSEC are completely automated. But we did not stop there.

Nominum actually relies on several mechanisms to secure DNS.  One mechanism secures the data (DNSSEC), another secures the communication between caching and authoritative DNS servers and the third mechanism protects the sever itself. We call the second mechanism DNSAUTH.  DNSSEC and DNSAUTH are resident in all our servers.  The two functions can be used simultaneously and, at the same time, the server can continue to leverage our layered defense mechanism (3^rd layer) as well.  That’s the important part.

Bad guys use multiple attack vectors to compromise defenses that would withstand one.  What DNSSEC does is prevent attacks by hostiles that have the ability to watch packets go by – for example the operator of a rogue WIFI access point or combined attack scenarios that use route hijacking, or router hijacking.  DNSAUTH, on the other hand, extends Nominum’s layered DNS defenses by securing the communication link between caching and authoritative servers.  DNSAUTH allows for server authentication and encryption of DNS data exchanged between the caching and authoritative DNS servers.

I believe the Internet is served only by advancing the capabilities in DNS, particularly combining multiple protection mechanisms to secure the DNS.   This is not a check box feature set.  It should be part of a holistic system to protect the server, caching-authoritative connections and the data contained in DNS.  Users and network owners should not rely on single purpose protection layers.  And, they should not rely on DNS services that are not compliant with DNSSEC.  DNSSEC is of great importance to the Internet.   As an Internet community, we must be ready on both sides of the migration line to secure end user requests and protect them from cache poisoning and similar threats.  Not supporting DNSSEC, and worse actively pushing unproven alternatives, sends us all back too many years.  Can I get an Amen?

.tom