DNS was first conceived in 1983, back when one of the most memorable movie quotes of all time was popularized: “Go ahead, make my day” (Clint Eastwood in “Sudden Impact”). The internet as we know it today did not yet exist; however, ARPANET, its predecessor network, was the exclusive domain of a small group of academics and researchers, so no one gave much thought to security. A lot has changed.
For many years ISPs in certain parts of the world have been required by their regulators/governments to redirect certain websites that were deemed malicious or suspicious. DNS offered a straightforward way to do this; and Nominum, being a DNS company, developed an early mechanism using a DNS zone file that made it simple for ISPs to comply. The technology was originally named “Malicious Domain Redirection” (MDR), and it basically allowed DNS server operators to perform a single action for a given domain name. Actions could be categorized so that each action or redirection did not have to be repeated.
The importance of the DNS security protocol in general is widely understood, particularly in today’s overall security landscape. Anyone who currently manages (or has managed) caching/recursive or authoritative DNS servers knows the pain it causes when they go down. It’s bad. Without available DNS there is no internet, at least no usable internet. Generally, most, if not all applications today rely on DNS to locate resources somewhere on the internet to function. Additionally, said apps are becoming more and more reliant on the DNS.
DNSSEC continues to gain momentum as network operators and domain owners watch and learn from early adopters. The learning process is made easier by efforts such as the ongoing work conducted by researchers at Sandia labs to methodically identify and categorize the kinds of problems that are occurring.