EPIC - DNSSEC (original) (raw)

Top News

Overview

What is DNSSEC?

The Domain Name System (DNS) is a distributed hierarchical system used by servers that use the Internet Protocol (IP)to convert IP adresses (such as 85.135.343.120) into names and vice versa. Web browser, FTP clients and mail clients use DNS so end user don't have to type in IP adresses but can just use 'www.epic.org'. However, DNS was never designed to be secure. This gives rise to a set of problems which originate from the fact that a request for a domain name to a server is not authenticated. This means that any server can pretend to be a Domain Name System Server. Most users of the Internet use their default DNS server from their ISP. Hackers can divert the traffic from this server to another DNS, which can direct you to malicious websites. Without the end user noticing, he or she can be directed to malicious websites that ask him for personal credentials, so-called phishing.

DNSSEC was developed by the Internet Engineering Task Force (IETF) to overcome these problems. Authentication of responses is the main mechanism that provides security in DNSSEC. When a client (Internet resolver) is requesting the domain name for an IP address, DNSSEC foresees in sending a reply with a signature. With this signature, the client can authenticate the message.

Use of DNSSEC in Sweden, Bulgaria, Brazil and Puerto Rico

DNSSEC has been implemented in Sweden, Bulgaria, Brazil and Puerto Rico. In Sweden DNSSEC was part of a pilot program by the Swedish registry of ICANN to implement DNSSEC as a commercial service. Participants were the Ministry of Enterprise, Energy and Communications, the registry of .SE, Swedish ISP TeliaSonera, Swedish bank Swedbank group and the Swedish National Post and Telecom Agency.

A survey amongst top-level domain owners in Sweden showed that the biggest barrier for DNSSEC is adoption. Only 14% of the top-level domain owners said that DNSSEC is very interesting as a commercial service and 54% indicated that a 50-euro annual charge was rather high. Furthermore, the biggest Swedish ISP pointed out that DNSSEC could be a waste of resources if the hosting of websites is DNSSEC but the pointers to those websites (the DNS resolvers) are not supporting DNSSEC. As most Internet users only use the resolvers provided by their (domestic) ISPs this means that adoption by these ISPs forms a bottleneck.

Use of DNSSEC for the .ORG domain

After the implementations of DNSSEC in Sweden, Bulgaria, Brazil and Puerto Rico ICANN has announced a Request for Comments on implementing DNSSEC on the Public Interest Registry's. This means that all the .org domains would be fitted with the DNSSEC extension. As of March 15 2008, only one comment has been placed on the forum of ICANN.

Complexities

Technical complexities

Social complexities

Resources

General

Technical complexities of DNSSEC

Policy implications of DNSSEC

Other coverage

Share this page:

Defend Privacy. Support EPIC.

Subscribe to the EPIC Alert

The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.

EPIC Alert archive ยป

US Needs a Data Protection Agency

2020 Election Security