DNSSEC: exchanging one threat for another?

Security geeks have a permanent blind spot: "potential for misapplication of security technology." The problem also afflicts scientists in science-fiction B-movies where the giant robot decides that it wants to serve mankind crispy-fried and the story ends by reflecting on our inability to appreciate the simple life we once had.

With this in mind it's with some trepidation that I embrace DNS Security Extensions (DNSSEC).

How does it work?

The Domain Name System (DNS) is a huge database that is used to convert a computer's name (blogs.computerworlduk.com) into an Internet Address ( somewhat like a phonebook; but unlike a phonebook the DNS is distributed, dynamic and delegated so that changes may be administered by people who are close to the systems being modified, rather than by some central authority.

The distributed nature of traditional DNS leads to security problems: users may - by a variety of means - be deceived so that although your browser asked for the IP address for blogs.computerworlduk.com it may instead receive the IP address of some evil hacker who lives somewhere upstream.

This could be a bad thing, especially if your creditcard is involved.

Hence DNSSEC: to a first approximation it's wonderful, solves a boatload (but not all) of network-address-based security holes, and should have been done decades ago.

DNSSEC provides a chain of trust giving the DNS user some certainty that he is not being lied-to; in our example:

  • The DNS "root" server authoritatively cites a DNS server for the .com domain
  • The server for the .com domain authoritatively cites another one for the computerworlduk.com domain
  • The server for computerworlduk.com authoritatively cites the blogs.computerworlduk.com webserver at
  • The user now has confidence that the IP address of blogs.computerworlduk.com is

...all of this being crosschecked against a daisychain of cryptographic certificates as your query is processed.

What are the upsides?

Before DNSSEC the users had no way to be confident that they're not being deceived about IP addresses; you might want to connect to www.amazon.com but it's horrifyingly easy for someone in a cybercafe to provide you with a bogus IP address and thus connect you to a fake Amazon storefront. Your defence against that attack was supposed to be SSL-certificates, but those have their own problems:

  1. People tend to connect to the insecure http:// website before it redirects them to the "secure" https:// one - this sequence of page loading provides an opportunity to fool the insufficiently paranoid, redirecting them to a fake "secure site".
  2. There are too many organisations who are in a position of trust, perhaps unwarranted, where they would be able to forge credentials for a fake amazon.com or similar.

Put differently: if you're in a sufficiently hostile environment it means nothing that your browser's "padlock" icon is closed.

DNSSEC does not solve this problem, but it raises the bar a lot higher.

What are the downsides?

Primarily that we're not there yet; DNSSEC infrastructure is far from complete and we're looking at years before there is a majority of coverage. So far the root key has been signed, and a handful of the top-level keys; it'll be ages before it percolates out to ISP level.

But this sounds good - so why so miserable?

Because I know how my peers think - specifically that portion of them who believe in the rule of order. The temptation to editorialise will be immense.

DNSSEC underscores a enormous shift in mentality from DNS being a queryable repository of IP addresses to being an authoritative repository reflecting the validity of a site being on the web.

Note that I said validity of a site, rather than its IP address; there hangs a big difference. Currently when the state, executive or judiciary gets angry at a website their first response is to have it removed from the InternetWeb DNS, as happened to WikiLeaks back in 2008; this serves only to engage peoples' interest and so is a fruitless endeavour. The state has now learned - to some extent - that this technique does not work.

But now we will have DNSSEC and an opportunity for security compliance wonks to build upon it and regain some of what they once had; some functionary will eventually propose that for the sake of auditing all operating systems must be able to resolve / reverse-lookup any IP address to which you connect, and instantly DNSSEC will become a Internet whitelist and filter.

After all, it'd be so much better than what we've currently got, and won't people please just think of the children? Plus all of those movie-stealing bittorrent servers running on DSL lines without proper DNS registration will suddenly become client-only machines, able to make outbound connections to useful retail sites and providers who prop up the economy, but unable to serve data. Why would anyone need to do that? Gamers and the likes of Skype could "migrate" to a hierarchy-friendly "hub-and-spoke" client/server model; peer-to-peer and tools like Tor could be expunged...

And in the future when your IP address stops looking like and starts looking like 2001:4f8:0:2::d then you will need DNS more than ever...

Of course it will take an additional (and stupid) step to get to this state - it always does take an extra step to sleepwalk off a cliff; but as soon as a space becomes capable of effecting editorial control then somebody will try and use it, and then things will go badly.

The business model for Clipper adoption was to make it a requirement for hardware sales to the US Government. From this I can easily imagine an initiative for federally-specified TCP/IP stacks, or a mandate for child-friendly shims for browsers, shared libraries and software interpreters.

So I consider DNSSEC mostly as a massive boon for security, but also a little bit as a potential DRM for the Internet - and it is that latter bit that scares me.

DNSSEC is valuable, it's a really great idea, it needs to be embraced like a beloved porcupine. Carefully.

Update: techies: see comments for worked gedanken example.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.


Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon