A technology that would make the Internet's Domain Name System
hacker proof will become available to I-managers early next
year--but it will still be several years before any secure DNS
standards become widely used.
VeriSign, which operates the Net's dot-com, dot-net and dot-org
name registries, hosts a secure DNS test bed for developers
that uses an Internet Engineering Task Force protocol called
DNS Security. Currently, Veri Sign's DNSSec test bed is restricted
to authenticating only a few sample domain names. But in the
first quarter of 2002, the company plans to make a trial version
of the service available to customers so they can start securing
their dot-com names, said Warwick Ford, chief technology officer
"We're removing the risk of manipulating the DNS," Ford said.
"This is work still in progress, but it's a standards-track
VeriSign has not yet settled on pricing or timing for the launch
of the secure DNS service for dot-com or other top-level domain
(TLD) names, a company spokeswoman said.
The DNSSec protocol--in the works for more than four years--is
designed to stop DNS "hijacking," which occurs when a hacker
tampers with a site's DNS information and misdirects visitors
to an alternate server. In recent years, several high-profile
sites, including those of McDonald's and RSA Security, have
fallen victim to such hacks, which send a user to a bogus Web
site that appears to be the company's legitimate site.
DNS servers match a site's URL, such as "www.interactiveweek.com,"
with its numeric IP address. DNSSec enhances that basic function,
using a digital signature to verify that the IP address served
up is, in fact, the authorized one.
|Two high-profile cases of domain name hijacking:|
|February 2000: RSA Security's home
page was redirected to a page that read, "RSA
Security Inc. hacked! Praise Allah! The most
trusted name in E-security has been owned;"
hacker Coolio used a technique known as Domain
Name System cache poisoning to pull off the
|February 2001: McDonald's U.K. domain
name server was attacked by a hacker named Fluffy
Bunny, who sent visitors to a bogus site.|
But several hurdles need to be cleared before DNSSec becomes
practical for many e-businesses. One problem VeriSign has encountered
is that the current version of the DNSSec protocol requires
each "zone"--the group of domain names included under one authoritative
DNS server--to secure all of its subdomains at once. In other
words, it's all or nothing. That would present a huge operational
problem in securing the dot-com TLD--by far the largest TLD,
with about 25 million names.
To bypass this difficulty, VeriSign has drafted an "opt-in"
extension to the DNSSec that will allow VeriSign to sign up
the dot-com zone incrementally instead of all at once, said
Mark Kosters, VeriSign's vice president of research. The opt-in
proposal must still undergo IETF review, he said.
There is also a performance penalty associated with secure
DNS transactions. An unsecured DNS response today is about 200
bytes, whereas a DNSSec response can be as much as 10 times
that, said David Conrad, CTO of Nominum, which has developed
the most recent versions of the Berkeley Internet Name Domain
server. BIND runs an estimated 90 percent of the DNSes in use
Additional overhead, as well as the general complexities of
introducing a new technology, will cause operators of the Internet's
root servers--the 13 authoritative servers that sit at the top
of the DNS hierarchy--to shun a speedy adoption of DNSSec. "Root
server operators are a very conservative bunch," said Conrad,
whose company provides operational support for two of the DNS
While DNS servers that are not secure are able to receive responses
from DNSSec-enabled servers, those results would not be authenticated.
"It's one of those things where so much of it requires the
entire Internet to support it in order for it to really work,"
said John Pescatore, Gartner's chief Internet security analyst.
"From a security goodness point of view, it's a really solid
idea. But right now [without wider DNSSec acceptance],
there isn't any glaring problem DNSSec solves for any individual