DNSSEC: Why it matters

In Jan 2014, Ultra Electronics AEP warned that only around half (53 per cent) of global top level (TLD) domains are ‘secure’ – meaning they have been signed with domain name system security extensions (DNSSEC). Last year, Google stated that just seven per cent of queries from the client side are DNSSEC enabled, indicating a very low level of take up by website owners.

But why does this matter?

There are many dangers with unsecured domains, not least that the DNS can be spoofed and potentially direct Internet users straight into the hands of cyber criminals via fake websites that often look just like the real thing. We saw this recently with eBay and Paypal where for a short time users in certain countries where directed to a fake site run by the Syrian Electronic Army. In this attack, the motivations were more to attract publicity but it could have been so much worse had the intent been to steal data.

In 2008, a security researcher Dan Kaminsky discovered that it was much easier to poison nameserver caches than previously understood, thereby increasing the potential for feeding bogus DNS information to unwitting clients. Since then, there has been growing interest around the benefits of DNSSEC. Today it is common knowledge in the IT Security profession that DNS is known to be one of the easiest things to target in a distributed denial of service (DDoS) attack.

DNSSEC uses public key cryptography to digitally sign DNS data. It means that responses to DNS queries are digitally signed by the DNS server using private keys and are automatically verified by the client using the corresponding public key. Digital signing also guarantees the validity of DNS responses. As such Internet users are protected from the fraudulent DNS responses that could contribute to phishing techniques and other forms of fraud.

Industry bodies such as ICANN are working with owners of Top Level Domains (TLDs) and website owners to make the world’s internet a safer place, however the current statistics indicate the adoption rate really needs to accelerate. Over time we all will start to benefit fully from DNSSEC via the chain of security it establishes from content source to end user, it must be supported by every entity along this chain, e.g., ISPs and domain name owners.

DNSSEC has the potential of becoming a critical link for a wide range of industry applications.


AEP has been at the heart of effort to protect the world’s Internet users. On June 16, 2010, AEP’s Ultra Safe Keyper™ product signed the DNS root of the internet, the dot, forming part of an elite international circle of trust protecting the web from being hijacked. Since this time their technology has signed many of the world’s top level Internet domains.

To find out how AEP's DNS solution can protect your business and customer information contact sales@mpa.co.nz

 

Latest Security Problems Solved

Privileged Password Management - Pitfalls to consider More >
SIEM matures, however landscape changes. More >
2014: The Year Encryption Comes of Age More >
The key to a secure BYOD-enabled enterprise More >
Our Solutions
Security Solutions

We work with leaders in the fields of data protection, authentication and perimeter security to protect your organisation and manage any threats with the most effective security systems. More >

Technical Services

MPA New Zealand Ltd provides a range of technical services to compliment the vendor technology our company brings to the local market. More >