Improved security of the Domain Name System - PTS-ER-2006:36
12/10/2006
Internet users of today consider that the availability and the security for the Internet should be satisfactory and this also applies to the crucial DNS service. A number of different functions are required to ensure correct, traceable and sufficiently rapid responses to DNS queries. This report is oriented towards the functions that are of importance for availability and security of DNS with a particular focus on the deployment and use of the IETF standard DNS Security Extensions also called DNSSEC.
The Swedish top-level domain .se is the first national top-level domain in the world to introduce DNSSEC – a more secure technique for name resolving on the Internet. However, it is not enough that the .se zone is configured for DNSSEC. Underlying domains and the end-users’ name servers also need to be configured to support DNSSEC. In line with the introduction of DNSSEC performed by the Foundation for Internet Infrastructure (IIS), Post- och Telestyrelsen (National Post and Telecom Agency in Sweden) has performed tests of DNSSEC on the .se-domain. In this work experts have been engaged whose work, apart from a description of functionality and definitions in DNSSEC, has been focused on testing the implementation and administration of DNSSEC on a sub-domain to .se.
Result of performed tests shows that the implementation of DNSSEC generally is simple to perform. What is missing today are good tools for automation of DNSSEC-administration (key generation and zone signing). A standardization of such tools feels like a necessity for the usage of DNSSEC to take off. Otherwise, the increased manual work needed for administration will counteract the increased security that DNSSEC offers.
Despite the imperfections mentioned above, DNSSEC is the right choice to achieve increased trust to the DNS and the Internet as a whole. In the first place DNSSEC should be implemented at operators in higher levels of the DNS hierarchy. When this has happened, enterprises, organisations and authorities with heavy security demands, can ask for DNSSEC support at their DNS operators and if applicable implement DNSSEC in those nameservers e.g. resolvers they administer themselves.