Cryptographic DNS security progressing
The three organisations behind the DNSSEC test – DENIC, the German Federal Office for Information Security (BSI) and German internet association eco – posted a positive interim assessment of the project at a meeting in Frankfurt on Tuesday. This is despite ongoing questions over software support and administration, and modest user numbers, with the 34 registrars taking part in the test reporting only 700 second level domain registrations.
Experts expect DNSSEC (DNS security extensions) to deliver better security against attacks on the domain name system (DNS), as it will allow the authenticity of responses to be checked by comparing a key pair. German internet registry DENIC has offered a signed version of the .de zone using its own infrastructure since January.
Hardware and software support is also slowly taking shape. At the Frankfurt meeting, Jan Schöllhammer of AVM announced that the next release of Fritzbox will support DNSSEC. Adaptation of DNS software such as BIND and Unbound to DNSSEC is making progress, or is at least being promised for the future. Products such as OpenDNSSEC should also help to automate complicated key management processes.
Without suitable software support, registrars run the risk of live domains disappearing from the web. Unlike with SSL certificates, domains with expired DNSSEC signatures are simply discarded. According to Bernhard Schmidt of the Munich-based Leibniz-Rechenzentrum, this has happened to the .gov zone used by the US government on several occasions. Thorsten Dietrich of the German Federal Office for Information Security also reports that the DNSSEC-secured domain for last year's Czech EU presidency was recently unavailable for several days.
At the Frankfurt meeting, the experts unanimously reported that there was hardly any load shift when validating and serving signed zones. The BSI was unable to identify "any significant effects on newer live systems," when signing the bund.de zone. On older systems, CPU load did rise by 2 to 3%, transfer volumes from serving the domain by 5.5%. Queries dealt with via TCP rather than UDP rose by 0.3% to 0.9%.
In addition to the software changes necessitated by DNSSEC, a number of administrative questions remain outstanding. Switching hosting company, for example, now means going through the not entirely simple process of moving keys, so domain customers are reliant on the cooperation of their previous host. Swiss provider SWITCH plans to only allow transfers if the new host supports DNSSEC. DENIC CEO Sabine Dolderer gives this type of paternalism short shrift.
The first key set for the main key signing key (KSK) for the DNS root zone was generated at a seven-hour signing ceremony on Tuesday. After the 15th of July, the root zone will only be available in signed form. It's likely to be some time before all links in the chain fall into place. DENIC is to make a decision on starting to use DNSSEC for operating the .de top level domain towards the end of this year.
- DNSSEC on all root servers, a report from The H.
- More security for root DNS servers, a report from The H.
(Monika Ermert / crve)