Google has started fully supporting DNSSEC, the domain name security standard, on its Public DNS service.
According to a blog post from the company, while the free-to-use DNS resolution service has always passed on DNSSEC requests, now its resolvers will also validate DNSSEC signatures.
What does this mean?
Well, users of Public DNS will get protected from DNS cache poisoning attacks, but only for the small number of domains (such as domainincite.com) that are DNSSEC-signed.
It also means that if a company borks its DNSSEC implementation or key rollover, it’s likely to cause problems for Public DNS users. Comcast, an even earlier adopter, sees such problems pretty regularly.
But the big-picture story is that a whole bunch of new validating resolvers have been added to the internet, providing a boost to DNSSEC’s protracted global roll-out.
Currently Google Public DNS is serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day. However, only 7% of queries from the client side are DNSSEC-enabled (about 3% requesting validation and 4% requesting DNSSEC data but no validation) and about 1% of DNS responses from the name server side are signed. Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment.
One has to wonder whether Google’s participation in the ICANN new gTLD program — with its mandatory DNSSEC at the registry level — encouraged the company to adopt the technology.
The proposed .secure generic top-level domain is now officially contested, after NCC Group, best known in the domain industry for its data escrow services, announced a bid.
Newly formed NCC subsidiary Artemis Internet Inc, based in San Francisco, is the official applicant.
According to Artemis chief technology officer Alex Stamos, who co-founded security testing firm iSEC Partners and sold it to NCC for $22.8 million two years ago, this is a hard security play.
The .secure gTLD would be all about enforcing strict security policies on registrants, he said.
“Right now there are a lot of interesting security technologies out there, but they’re generally not very effective because they’re optional,” he said.
As well as premium pricing and a manual registrant verification process expected to take about two weeks – complete with mailing address confirmation and two-factor authentication tokens – Artemis plans to force registrants to adhere to certain baseline security policies.
For example, all .secure web sites would have to be completely HTTPS, Stamos said. The only permissible use of a standard port 80 URL would be to redirect to the encrypted site.
The same would go for mail servers – they’d all have to use TLS to encrypt email as standard.
“When you go to bank.secure you’ll know that the software and servers at the other end are going to make the most secure decisions possible,” Stamos said.
Artemis would scan its registrants’ sites for compliance with these baseline rules, looking out for things such as botched SSL implementations.
But Artmeis wants to take it a step further. It is also proposing a new protocol, Domain Policy Framework, which would let registrants publish their security policies in the DNS.
Stamos said the company has set up a Domain Policy Working Group to develop the spec, which it plans to submit to the IETF for standardization before the end of the year.
The other members of the working group, which promise to include some “influential” names in financial services, software and social media, will be announced in July.
DPF would work alongside the existing DNSSEC and DANE protocols to enable registrants to specify, for example, which Certificate Authorities browsers should trust when accessing their .secure domain, preventing certain types of attacks, Stamos said.
Obviously, this system is not going to work without support from browser software, but Stamos said he’s hopeful that the big vendors will embrace the DPF spec.
“The most innovative and forward-leaning browsers will support it first,” he said.
Domains in .secure would still be accessible by non-compliant browsers, he said.
ARI Registry Services has been hired to manage the back-end registry, but Artemis is also building a secondary registry system for storing the DPF records, which it plans to offer to other TLD registries.
NCC plans to invest up to £6 million ($9.7 million) in Artmeis over the next 15 months, according to a press release.
Another firm, Domain Security Company, also plans to apply for .secure.
Five of the world’s leading DNS experts have come together to draft a report slamming America’s proposed PROTECT IP Act, comparing it to the Great Firewall of China.
In a technical analysis of the bill’s provisions, the authors conclude that it threatens to weaken the security and stability of the internet, putting it at risk of fragmentation.
The bill (pdf), proposed by Senator Leahy, would force DNS server operators, such as ISPs, to intercept and redirect traffic destined for domains identified as hosting pirated content.
The new paper (pdf) says this behavior is easily circumvented, incompatible with DNS security, and would cause more problems than it solves.
The paper was written by: Steve Crocker, Shinkuro; David Dagon, Georgia Tech; Dan Kaminsky, DKH; Danny McPherson, Verisign and Paul Vixie of the Internet Systems Consortium.
These are some of the brightest guys in the DNS business. Three sit on ICANN’s Security and Stability Advisory Committee and Crocker is vice-chairman of ICANN’s board of directors.
One of their major concerns is that PROTECT IP’s filtering would be “fundamentally incompatible” with DNSSEC, the new security protocol that has been strongly embraced by the US government.
The authors note that any attempts to redirect domains at the DNS level would be interpreted as precisely the kind of man-in-the-middle attack that DNSSEC was designed to prevent.
They also point out that working around these filters would be easy – changing user DNS server settings to an overseas provider would be a trivial matter.
PROTECT IP’s DNS filtering will be evaded through trivial and often automated changes through easily accessible and installed software plugins. Given this strong potential for evasion, the long-term benefits of using mandated DNS filtering to combat infringement seem modest at best.
If bootleggers start using dodgy DNS servers in order to find file-sharing sites, they put themselves at risk of other types of criminal activity, the paper warns.
If piracy sites start running their own DNS boxes and end users start subscribing to them, what’s to stop them pharming users by capturing their bank or Paypal traffic, for example?
The paper also expresses concern that a US move to legitimize filtering could cause other nations to follow suit, fragmenting the mostly universal internet.
If the Internet moves towards a world in which every country is picking and choosing which domains to resolve and which to filter, the ability of American technology innovators to offer products and services around the world will decrease.
This, incidentally, is pretty much the same argument used to push for the rejection of the .xxx top-level domain (which Crocker voted for).
VeriSign announced late yesterday that it has fully implemented DNSSEC in .com, meaning pretty much anyone with a .com domain name can now implement it too.
DNSSEC is a domain-crypto protocol mashup that allows web surfers, say, to trust that when they visit wellsfargo.com they really are looking at the bank’s web site.
It uses validatable cryptographic signatures to prevent cache poisoning attacks such as the Kaminsky Bug, the potential internet-killer that caused panic briefly back in 2008.
With .com now supporting the technology, DNSSEC is now available in over half of the world’s domains, due to the size of the .com zone. But registrants have to decide to use it.
I chatted to Matt Larson, VeriSign’s VP of DNS research, and Sean Leach, VP of technology, this afternoon, and they said that .com’s signing could be the tipping point for adoption.
“I feel based on talking to people that everybody has been waiting for .com,” Larson said. “It could open the floodgates.”
What we’re looking at now is a period of gradual adoption. I expect a handful of major companies will announce they’ve signed their .coms, probably in the second half of the year.
Just like a TLD launch, DNSSEC will probably need a few anchor tenants to raise the profile of the technology. Paypal, for example, said it plans to use the technology at an ICANN workshop in San Francisco last month, but that it will take about six months to test.
“Most people have their most valuable domains in the .com space,” said Leach. “We need some of the big guys to be first movers.”
There’s also the issue of ISPs. Not many support DNSSEC today. The industry has been talking up Comcast’s aggressive deployment vision for over a year now, but few others have announced plans.
And of course application developer support is needed. Judging from comments made by Mozilla representatives in San Francisco, browser makers, for example, are not exactly champing at the bit to natively support the technology.
You can, however, currently download plugins for Firefox that validate DNSSEC claims, such as this one.
According to Leach, many enterprises are currently demanding DNSSEC support when they buy new technology products. This could light a fire under reluctant developers.
But DNSSEC deployment will still be slow going, so registries are doing what they can to make it less of a cost/hassle for users.
Accredited registrars can currently use VeriSign’s cloud-based signing service for free on a trial basis, for example. The service is designed to remove the complexity of managing keys from the equation.
I’m told “several” registrars have signed up, but the only one I’m currently aware of is Go Daddy.
VeriSign and other registries are also offering managed DNSSEC as part of their managed DNS resolution enterprise offerings.
Neither of the VeriSign VPs was prepared to speculate about how many .com domains will be signed a year from now.
I have the option to turn on DNSSEC as part of a Go Daddy hosting package. I probably will, but only in the interests of research. As a domain consumer, I have to say the benefits haven’t really been sold to me yet.
Go Daddy has officially unveiled its Premium DNS service, which will enable its customers to buy and use managed DNSSEC services for the first time.
The price is $2.99 per month, which works out to $35.88 a year.
For the money, buyers also get a bunch of other tools, such as reports and audits, off-site DNS functionality and backup name servers.
There’s also a “Vanity Nameserver” option, which appears to let customers set their domain’s name servers to display as something like brand.domaincontrol.com, rather than ns1.domaincontrol.com.
It also appears that users of Go Daddy’s standard service will now be limited to 100 forwarded sub-domains, with Premium DNS users getting an unlimited number.
But the big deal as I see it is the addition of managed DNSSEC.
DNSSEC is a new security protocol that substantially mitigates the risk of falling prey to a DNS hijacking using, say, a cache poisoning attack.
Remember the Kaminsky Bug? DNSSEC prevents that kind of thing from happening again.
The problem with DNSSEC is that it’s massively complex and quite hard work to manage, requiring frequent key generation and rollover.
Go Daddy users can already manage their own DNSSEC records if they choose, but that’s only really an option if you’re a hard-core DNS geek.
Paying a few bucks a month to have somebody else manage it for you is an absolute bargain, if you care enough about your domain’s security.
I suggest that this could be a lucrative business for Go Daddy primarily because proponents of DNSSEC hope that one day it will be ubiquitous. Every domain will use it.
Go Daddy has over 45 million domains under management today. If customers representing only 1% of its domains choose to upgrade, that’s an extra $16 million into company coffers annually.
If they all do (which is not going to happen) we’re talking about a $1.6 billion business.
I don’t think the new service is going to lead to a massive uptick in the number of signed domains, but it will certainly get the ball rolling. For enterprises, it’s good value.
But individuals and large domain portfolio holders will not flock to return to 1999 .com prices just in order to implement a protocol they’ve been doing just fine without.
The future of broad DNSSEC adoption is more likely to be in open-source and freeware tools and services that can be easily understood by geeks and non-geeks alike.