Domain registrars lagging behind over DNSSEC security
DNS traffic still open to hacker hijacks
By Carolyn Duffy Marsan | Network World US | Published: 12:40, 24 March 2010
The leading domain name registrars in the United States appear to be dragging their feet on the deployment of DNS Security Extensions, an emerging standard that prevents an insidious type of hacking attack where network traffic is redirected from a legitimate website to a fake one without the website operator or user knowing.
DNSSEC prevents cache poisoning attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Cache poisoning attacks are possible because of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
In order for website operators and end users to benefit from DNSSEC, the standard must be supported at every level of the DNS heirarchy.
Related Articles on Techworld
At the top of this hierarchy, the DNS root servers will support DNSSEC on July 1.
Next are the registries that operate the backend servers for the various top-level domains. The registries have announced rolling deadlines for their DNSSEC deployments: .org and .edu in June; .net in December; and .com by March 2011. However, none of the top 10 domain name registrars in the United States has committed to a deadline for deploying DNSSEC.
"It's sad that the registrars are not keeping up with the registries in their deployment schedules for DNSSEC," says Paul Hoffman, director of the VPN Consortium and an active participant in DNSSEC standards development at the Internet Engineering Task Force. "If my registrar can't tell me when they will support DNSSEC, then I can't do the planning I need to do to upgrade my DNS software."
US corporations, such as banks and e-retailers, won't be able to deploy the extra layer of security provided by DNSSEC until their registrars offer it as a service.
"It is a roadblock," Hoffman says. "If my registrar doesn't know how do to DNSSEC, I have to change registrars… Whichever registrar announces first is going to see people switching to them."
Of the 10 largest domain name registrars in the United States, only four responded to queries about the status of their DNSSEC deployments. None of these registrars would commit to a deadline for when they will support this new security mechanism.
