Although DNSSEC has been in the works for over a decade now, until recently there has been little motivation to begin working on a widescale deployment. Of course, after Dan Kaminsky’s announcement this past summer there is now a scramble to increase the security of the domain name system.
Earlier this year the U.S. Government issued an order for the .gov domain to be signed by January 2009. Furthermore, all subdomains of .gov are required to be compliant by December 2009. According to IETF participants the first goal has been met, and the .gov domain is already signed ahead of the deadline. There are also immediate plans to sign the .mil domains used by the U.S. Military.
The directive by the U.S. Government was the first major push for DNSSEC deployment and it has spurred action by other big players in the DNS world. Recently several major DNS vendors announced they had formed the DNSSEC Industry Coalition to help facilitate DNSSEC deployment. The member venders are VeriSign, The Public Internet Registry, Nominet UK, Afilias, NeuStar, The Foundation for Internet Infrastructure, and Educause.
In October the U.S. National Telecommunications and Information Agency (NTIA) issued a Notice of Inquiry asking for feedback regarding the deployment of DNSSEC. The responses were overwhelmingly in favor of a quick and widespread DNSSEC deployment, which is not surprising considering a large number of the respondants represent organizations who stand to profit from such a rushed deployment.
However, not everyone is convinced that DNSSEC is the best solution at this time. Until the root servers are signed there is no way to authenticate the DNS session and verify the integrity of the entire response. This is part of the reason that the IETF has yet to decide on an immediate solution to the problems raised by the bug Kaminsky found. Paul Hoffman put it simply (PDF):
“Let’s say the root is signed tomorrow. Let’s say all the important top-level domains are signed. It’s still no good unless all of the domains are signed. You can’t just deploy DNSSEC. You have to deploy it universally.”
This is the heart of the “chicken and egg” problem that DNSSEC advocates have struggled to fight for years. Until it is deployed everywhere, DNSSEC isn’t really 100% effective. And no one wants to deploy a solution that isn’t 100% effective, especially when it comes to an issue of security. As of December 20, 2008, DNSSEC has yet to be deployed to even 15,000 domains.
No matter what route the Internet community decides to take to secure the DNS, we still have a very long road ahead of us.