Verisign to hack-proof domains

A technology that would make the Internet's Domain Name System hacker proof will become available to I-managers early next year--but it will still be several years before any secure DNS standards become widely used.
Written by Todd Spangler, Contributor

A technology that would make the Internet's Domain Name System hacker proof will become available to I-managers early next year--but it will still be several years before any secure DNS standards become widely used.

VeriSign, which operates the Net's dot-com, dot-net and dot-org name registries, hosts a secure DNS test bed for developers that uses an Internet Engineering Task Force protocol called DNS Security. Currently, Veri Sign's DNSSec test bed is restricted to authenticating only a few sample domain names. But in the first quarter of 2002, the company plans to make a trial version of the service available to customers so they can start securing their dot-com names, said Warwick Ford, chief technology officer of VeriSign.

"We're removing the risk of manipulating the DNS," Ford said. "This is work still in progress, but it's a standards-track project."

VeriSign has not yet settled on pricing or timing for the launch of the secure DNS service for dot-com or other top-level domain (TLD) names, a company spokeswoman said.

The DNSSec protocol--in the works for more than four years--is designed to stop DNS "hijacking," which occurs when a hacker tampers with a site's DNS information and misdirects visitors to an alternate server. In recent years, several high-profile sites, including those of McDonald's and RSA Security, have fallen victim to such hacks, which send a user to a bogus Web site that appears to be the company's legitimate site.

DNS servers match a site's URL, such as "www.interactiveweek.com," with its numeric IP address. DNSSec enhances that basic function, using a digital signature to verify that the IP address served up is, in fact, the authorized one.

Name Games
Two high-profile cases of domain name hijacking:
February 2000: RSA Security's home page was redirected to a page that read, "RSA Security Inc. hacked! Praise Allah! The most trusted name in E-security has been owned;" hacker Coolio used a technique known as Domain Name System cache poisoning to pull off the stunt.
February 2001: McDonald's U.K. domain name server was attacked by a hacker named Fluffy Bunny, who sent visitors to a bogus site.

But several hurdles need to be cleared before DNSSec becomes practical for many e-businesses. One problem VeriSign has encountered is that the current version of the DNSSec protocol requires each "zone"--the group of domain names included under one authoritative DNS server--to secure all of its subdomains at once. In other words, it's all or nothing. That would present a huge operational problem in securing the dot-com TLD--by far the largest TLD, with about 25 million names.

To bypass this difficulty, VeriSign has drafted an "opt-in" extension to the DNSSec that will allow VeriSign to sign up the dot-com zone incrementally instead of all at once, said Mark Kosters, VeriSign's vice president of research. The opt-in proposal must still undergo IETF review, he said.

There is also a performance penalty associated with secure DNS transactions. An unsecured DNS response today is about 200 bytes, whereas a DNSSec response can be as much as 10 times that, said David Conrad, CTO of Nominum, which has developed the most recent versions of the Berkeley Internet Name Domain server. BIND runs an estimated 90 percent of the DNSes in use today.

Additional overhead, as well as the general complexities of introducing a new technology, will cause operators of the Internet's root servers--the 13 authoritative servers that sit at the top of the DNS hierarchy--to shun a speedy adoption of DNSSec. "Root server operators are a very conservative bunch," said Conrad, whose company provides operational support for two of the DNS root servers.

While DNS servers that are not secure are able to receive responses from DNSSec-enabled servers, those results would not be authenticated.

"It's one of those things where so much of it requires the entire Internet to support it in order for it to really work," said John Pescatore, Gartner's chief Internet security analyst. "From a security goodness point of view, it's a really solid idea. But right now [without wider DNSSec acceptance], there isn't any glaring problem DNSSec solves for any individual company."

Editorial standards