DNSSEC deployment

May 21, 2009


I’ve done some work in the development of the DNSSEC protocol, this culminated (for me) in RFC 4641. At the time I was a big proponent of DNSSEC. I still think the DNS should be improved and also believe DNSSEC is one of the best solutions. I’m however not as sure about this as I once was. This is because of several reasons.

The first one being the development of the NSECn record.

I was always a believer in the cleanliness of the DNSSEC protocol. At the time we had a KEY, SIG and NXT record. Later we got the DS record to make it all work better and make a secure delegation operationally possible.

DNSSEC was already complicated, but it was still something you could explain in a day. It was also clear that huge zones like .com could not deploy DNSSEC. Franky because they were too flat and too big, signing such zones would lead to zone files which would be larger than 10 GB – which in 2000 was huge.

I always thought, well no DNSSEC for .com then. There are lots of other (smaller) zones which can handle the increase in size very well. And why not create a separate TLD (say .secure) for DNSSEC deployment?

Sadly this is not what happened, we got the NSEC (next secure) record, which makes it possible to sign only pieces of a zone. This allows for a gradual deployment of DNSSEC signed zones in say .com. It took the WG three tries to get this right, from NSEC we had NSEC2 and finally NSEC3. This also triggered all kinds of notification mechanism, so a zone can signal to a resolver “You can expect NSEC3’s from me, be prepared!“. This is so not like the DNS we all love to hate.

This made an already complicated protocol even more complicated.

In my opinion this all went into the protocol because one (1!) zone could not deploy DNSSEC.

The NSECn movement also lead to some other issues which made the WG to decide to rollover the type codes of the DNSSEC records. From KEY, SIG, and NXT we went to DNSKEY, RRSIG and NSEC3. This wasn’t such a bad thing, but it gave people saying “DNSSEC is still not ready” ammunition.

The other major thing that happened was that real cryptographers came in. I do have a background in math (I studied computer science), but I’m not a cryptographer in any sense of the word. Keep in mind though that the current DNS is very trivial to hack. There are lots of other attacks possible too. I would even go as far as to say: It is dangerous to use the DNS as it stands right now. For the record, the notion that the DNS is insecure was discovered in 1995 by Steven M. Bellovin.

The only finished solution for protecting the DNS is DNSSEC. And with protecting I mean detecting that something is amiss. DNSSEC does not prevent anything it only helps to detect attacks.

Then came the crypto guys…

I would say: “Aah just use a 1024 bits RSA key and you will be fine.” They would say: “Yes, but such keys can be broken in 2 years - you will not be safe!” They do have a point, no security at all it sometimes better then thinking you have security while you do not. But this is the freaking DNS we are talking about, it something goes wrong with DNSSEC security you just fall back to the go’old DNS we have now (i.e. no security at all).

But it is hard to reason with people how do cryptography for a living. I got the distinct impression that everything related to DNSSEC should be 100% cryptographically secure.

This made an already complicated protocol even more complicated.

So here we are in 2009. Some countries have deployed DNSSEC, we are finally seeing some client software emerging so that people can actually benefit from DNSSEC. (Server side DNSSEC sounds nice, but it does not give the end-user any security). It has taken at least 5 years longer then any of us expected at the time. And remember a lot of goverments are now pushing DNSSEC, so it still is not a pull from the market.

It also remains to be seen if the administration complexities of the protocol outway the security benefits it gives. Also there have not been any attacks (as far as I know) on the DNSSEC enabled zones and no private keys have been stolen.

Once something like that happens I see two outcomes. One. The DNSSEC and TLD registry communities handle this brilliantly and it will become a triumph for DNSSEC. Or, two, DNSSEC will die on the spot.

During my time at NLnetLabs I created a timeline, which among other things has the following quote from the Matrix:

We have only bits and pieces of information. What we know for certain is that, at some point in the early Twenty-first Century, all of mankind was united in celebration. Through the blinding inebriation of hubris, we marveled at our magnificence as we gave birth to A.I. DNSSEC.

– Morpheus, the Matrix

I’m glad that .nl has decided to give DNSSEC a chance.