- À propos de nous
- Services
- Secteurs
- Succès
- Évenements
- Blog Fr
Given the Internet’s pervasive role in daily life, finding viable solutions to cybercrime is imperative. Many security experts consider the Domain Name System Security Extensions (DNSSEC) to be an essential tool in “sealing” vulnerabilities in the Domain Name System (DNS).
The DNS is where all Internet addresses are stored. When a user types a URL into a browser, a DNS resolver checks the Internet for the IP address of that URL, generally accepting the first response. In addition to sending the user to that site, DNS caches that information for a period of time, so that the site is immediately delivered upon the next request. This system works seamlessly up to a trillion times each day — unless a cybercriminal intercepts the process.
DNSSEC effectively foils attackers’ attempts to direct users to malicious sites through an automated trust infrastructure using public key cryptography. By applying digital signatures to DNS data, DNSSEC enables systems to authenticate the origin of DNS information and verify its integrity as it moves across the Internet. DNS resolvers can verify that data originated from authoritative sources, and that responses are not modified in flight.
DNSSEC does not ensure confidentiality of data or protect against denial of service or other types of attacks. However, it will eventually allow Internet users to know with certainty that they have been directed to the Web site they intended to reach. Specifically, DNSSEC protects against DNS cache poisoning and man-in-the-middle attacks.
DNS cache poisoning occurs when a malicious system responds to the DNS query first with false information, sending the user to the bad link and caching the fake address. If the request came from a service provider, thousands of people can be affected when the false information is sent on to the provider’s customers.
In a man-in-the-middle attack, a criminal intercepts one-to-one communications then continues to communicate with the second party while masquerading as the first. For instance, a criminal could divert an online communication from a customer to a bank and then, pretending to be the customer, use the information to empty the victim’s bank account.
“DNSSEC is not a silver bullet to stop every cyber crime. But it will have a real and positive impact on the security of the Internet. This is one important step forward in the fight against cybercrime,” said Rod Beckstrom, president and CEO of the Internet Corporation for Assigned Names and Numbers (ICANN).
Because DNSSEC establishes trust through authentication, its effectiveness depends to some degree upon widespread adoption. In 2008, the Office of Management and Budget stated that the federal government would deploy DNSSEC to the .gov top-level domain (TLD) by January 2009, and mandated that all federal agencies deploy DNSSEC in their information systems by December 31, 2009. More than 50 TLDs for specific countries have also been DNSSEC-signed.
ICANN, Verisign and the U.S. Department of Commerce “signed the root zone” (the highest level in the DNS hierarchy) in July 2010, and the .edu, .org and .net TLDs became DNSSEC operational in 2010. The .com TLD is scheduled to be signed this year.
However, progress has been slower farther down the chain. A June 2010 Forrester Research report sponsored by Verisign found that there remain technical concerns, including how organiza¬tions will sign their DNS data and manage the public/private keys. DNSSEC creates larger DNS packets that some older networking equipment cannot accommodate. Then there’s the learning curve — a November 2010 survey by IDG Research found that only 50 percent of security and technology professionals were even familiar with DNSSEC.
“DNSSEC adoption has been hampered by concerns over the operational complexity with provisioning encryption keys and the processing overhead required to sign DNS information,” said Jon Oltsik, senior analyst at Enterprise Strategy Group. “Additionally, customers haven’t had a seamless DNSSEC architecture option for global server load balancing and standard DNS, so they’ve had to choose between either deploying reliable intelligent DNS systems or securing their DNS infrastructure with DNSSEC.”
