It’s been in the news lately. Both the Root Domain and the .ORG domain are implementing DNSSEC. So what does that mean? It means that a lot of attacks that require spoofing DNS will no longer work as easily.

There is lots of information over at dnssec.net, including links to all of the relevant RFCs, but I’m going to give the simple layman’s description of DNSSEC. DNSSEC uses Public Key cryptography, so a basic understanding of it will be very useful.

The root (.) domain authorizes all of the top-level domains (TLDs), things like .net, .com, and .org (among many others). Each TLD owner then authorizes the creation of sub-domains, like securitymusings.com. When a domain implements DNSSEC, it means that it will sign all of its responses. If I want to know the IP address of securitymusings.com, my computer first asks my ISP’s DNS servers. It doesn’t know, so it tells my computer to ask the root domain who to ask about the .com domain. The root domain responds with the IP address(es) of the DNS server(s) that control the .com domain. Then, I ask the .com DNS server what is the IP address of the securitymusings.com? It doesn’t know, but it does know the DNS server for securitymusings.com, so it sends me there. Finally, when I ask what the IP address of securitymusings.com is (again), the proper DNS server responds. There’s a lot of caching going on in there, but we can ignore it for now. With DNSSEC, each domain will need its own private key. All responses from that domain’s DNS servers will be signed with that private key. And so on down the list of responses I get. My client has to check the validity of each signature on the response. It adds a bit of overhead, but the spec still allows for caching and that will help speed the process up a bit.

So, if you own a .org domain, what can you do about it? If you’re running your own DNS servers, you can have your domain signed by the .org key. You’ll have to check with your registrar to see how (and when) to go about doing that. As far as I know, none are offering it yet. Those with .com domains? You’re out of luck for a while unless you’re going to use it internally only.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, June 9th, 2009 at 5:40 am by Laura Raderman and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.