Are You Ready for the Net’s Biggest Security Upgrade?

Domain Name System Security Extensions (DNSSEC) were switched on for .com domain names late last week, in a final stage of one of the biggest security upgrades the Internet has seen.

DNSSEC extends the age-old domain name system (DNS) by allowing domains to be digitally signed--and thereby authenticated--by end users. (DNS is what’s used to convert human-readable web addresses like pcworld.com into numeric IP addresses like 70.42.185.10, that are understood by computers.)

The system makes it harder for hackers to carry out so-called "man-in-the-middle" attacks whereby hackers fake the DNS records for a Website to send visitors to a site that looks identical to the real thing, in order to harvest personal details.

DNSSEC is not the same as HTTPS, the system that secures connections between Websites and browsers, and is used by banks and e-mail services, among others, to avoid data being viewed while in transit. Instead, DNSSEC is strictly limited to authenticating domain look-ups. It doesn’t encrypt data or stop any other kind of hack attack, such as Denial of Service (DoS) attacks.

The .com top-level domain (TLD) is one of the last major TLDs to be switched over in a process that began several years ago. The .net and .org domains both gained DNSSEC last year, and the governmental .gov domain was one of the first to be upgraded, after the US Office of Management and Budget (OMB) mandated in 2008 all .gov domains should be upgraded by the following year (although it’s claimed up to half haven’t yet managed to make the switch).

So what do you need to do if you run a Website? There’s no rush to do anything because DNSSEC isn’t mandatory, nor will the upgrading of the .com TLD (or any other TLD) mean existing DNS look-ups will no longer work. DNSSEC was designed to be introduced slowly and is backwards compatible.

However, you should contact your domain registrar and ask if you can activate DNSSEC for your domain names. They should at least be working on letting you do so, if they haven’t already put in place the facilities to make it so. One of the largest registrars, GoDaddy, has been working on such a scheme for quite a while. It’s likely that the slight complexity in creating DNSSEC records will incur a charge--GoDaddy charges a few dollars a month for up to five DNSSEC domains, for example.

Although it’s not strictly necessary, you might like to contact your internet service provider (ISP) and ask about when they’re going to switch their DNS resolving services to DNSSEC in order to help protect end-users. At the moment such ISPs are few and far between, and out of the major players, only Comcast is doing so as part of its Constant Guard service.

Note that DNSSEC is invisible to end users and requires zero input, unless a domain mismatch occurs, at which the DNS lookup will simply fail with a “site not found” message.

When it comes to workstations, Windows 7 doesn’t perform DNSSEC lookups itself. This is because of the complexity of setting up the system on each computer. Instead, it is able to detect whether the DNS lookup server it’s using is DNSSEC-aware, and ask it to use DNSSEC on its behalf.

You can download an extension for Firefox that understands DNSSEC and will display a key icon next to the URL when an DNSSEC-compatible website has been accessed. But that’s about all end-users can do right now. It’s likely that DNSSEC will become a built-in feature of browsers and all Internet-aware software as time goes on.

Subscribe to the Security Watch Newsletter

Comments