By Brian Cowan
Major security enhancements to the way that the Domain Name System (DNS) is protected have been delayed because many ISPs and large internet users are not ready for them. A new method of securing DNS records, that was due to roll out on October 11th, has been delayed.
For the non-IT readers, the DNS system provides the link between the website name that you type (www.keytech.co.uk), and the actual internet record for that address that is stored as a number. It makes internet access the simple and convenient service that we all enjoy.
The changes involve the issuing of new cryptographic signatures known as the Root Zone Key Signing Key (KSK). This is distributed to Internet Service Providers (ISPs) and major users (classed as Resolvers). These keys once applied will enable greater security of the DNS address information at the Resolvers, reducing the risk of address spoofing and address redirection from hackers. This will change the access from the traditional DNS model to the DNSSEC (DNS Security Extensions) level that is more secure.
This “Master Key” is in effect a password, and is used by Resolvers to sign secure DNS records. It has has not been changed since 2010 (not sure I would get away with keeping the same password for 7 years with our Admins). It is created and issued by the Internet Corporation for Assigned Names and Numbers (ICANN).
DNS Security changes for Internet Users
The current DNS system has become vulnerable to cyber attackers over the years. Criminals have gained access to local DNS servers, inserting false records. A User then searches for a website, for example, their bank by typing www.thebankname.com, but is directed to a site set up by the criminals to mimic the bank. Once there, the User is prompted to provide security information for their account.
The new DNSSEC system will apply digital signatures to the DNS records, ensuring that when Users request access, they are directed to the correct site. This should eliminate a major threat to Users and organisations.
ICANN – doing things properly
Normally, when you read about delivery delays it is in a negative context. On this occasion I believe that it demonstrates a great amount of planning and due diligence. Research by ICANN revealed that many Resolvers were running versions of DNSSEC that were not correctly updated or did not have the new key installed. Had the roll out gone ahead on 11th October, an estimated one-in-four Internet Users would have been affected. ICANN estimate this to equate to approximately 750 million people that use DNSSEC.
Subsequently, the decision was correctly taken to delay the roll out of this enhanced DNS Security.
The following ICANN video provides more information on planning and preparing for DNSSEC (click on image).