Open source project aims to make secure DNS easier

The open source software makes signing and key management simpler for implementing DNSSEC

A group of developers has released open source software that gives administrators a hand in making the Internet's addressing system less vulnerable to hackers.

The software, called OpenDNSSEC, automates many tasks associated with implementing DNSSEC (Domain Name System Security Extensions), which is a set a set of protocols that allows DNS (Domain Name System) records to carry a digital signature, said John A. Dickinson, a DNS consultant working on the project.

[ Keep up on the latest networking news with our Technology: Networking newsletter. ]

DNS records allow Web sites to be translated from a name into an IP address, which can be queried by a computer. But the DNS has several flaws dating from its original design that are being increasingly targeted by hackers.

By tampering with a DNS server, it's possible for a user to type in the correct Web site name but be directed to a fraudulent site, a type of attack called cache poisoning. That's one of many concerns that is driving a movement for ISPs and other entities running DNS servers to use DNSSEC.

With DNSSEC, DNS records are cryptographically signed, and those signatures are verified to ensure the information is accurate. Adoption of DNSSEC, however, has been held back by both the complexity of implementation and a lack of simpler tools, Dickinson said.

To sign DNS records, DNSSEC uses public key cryptography, where signatures are created using a public and private key and implemented on a zone level. Part of the problem is management of those keys, since they must be refreshed periodically to maintain a high level of security, Dickinson said. A mistake in managing those keys could cause major problems, which is one of the challenges for administrators.

OpenDNSSEC allows administrators to create policies and then automate managing the keys and signing the records, Dickinson said. The process now involves more manual intervention, which increases the chance for errors.

OpenDNSSEC "takes care of making sure that zone stays signed properly and correctly according to the policy on a permanent basis," Dickinson said. "All of that is completely automated so that the administrator can concentrate on doing DNS and let the security work in the background."

The software also has a key storage feature that lets administrators keep keys in either a hardware or security software module, an additional layer of protection that ensure keys don't end up in the wrong hands, Dickinson said.

The OpenDNSSEC software is available for download, although it is being offered as a technology preview and shouldn't be used yet in production, Dickinson said. Developers will gather feedback on the tool and release improved versions in the near future.

As of earlier this year, most top-level domains, such as those ending in ".com," were not cryptographically signed, and neither were those in the DNS root zone, the master list of where computers can go to look up an address in a particular domain. VeriSign, which is the registry for ".com," said in February it will implement DNSSEC across top-level domains including .com by 2011.

Other organizations are also moving toward using DNSSEC. The U.S. government has committed to using DNSSEC for its ".gov" domain. Other ccTLDs (country-code Top-Level Domains) operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr), and Bulgaria (.bg), are also using DNSSEC.