- by David Goldstein -
Each and every one of the current 1,195 generic top-level domains (gTLDs) that have been delegated have now deployed Domain Name System Security Extensions (DNSSEC), giving greater protection for internet users. The last gTLD to deploy DNSSEC by signing its zone was .aero in December 2020.
It’s not that internet users need to do anything. DNSSEC is an enhanced security measure, deployed by top-level domain registries, allowing domain name registrants to digitally sign information they put into the Domain Name System (DNS). This protects consumers by ensuring that DNS data that has been corrupted, either accidentally or maliciously, doesn't reach them.
This particular announcement only relates to gTLDs (those domain name endings that have 3 or more characters) as all gTLD registry operators sign an agreement with ICANN, whereas the operators of country code top-level domains (ccTLDs), the two-letter domain endings, have different agreements with their national governments as well as ICANN. For ccTLDs, the Internet Society notes that as of September 2020 there were 86 that had fully deployed DNSSEC, another 54 were on their way to full deployment, 4 had announced they will be and 5 were experimental. There are currently over 250 ccTLDs worldwide.
DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the DNS as used on Internet Protocol (IP) networks. It is described as a set of extensions to DNS which provide to DNS clients (resolvers) cryptographic authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
While DNSSEC is not the only means of protecting internet users and domain name registrants, but it provides one tier of defence in depth for the internet. In order to improve the security of the Internet, DNSSEC must be widely deployed across all TLDs.
"This is important news because it means that more users everywhere can have increased trust in the responses to DNS lookups" said David Conrad, Senior Vice President and Chief Technology Officer (CTO) at ICANN in announcing the deployment across all gTLDs. "As DNSSEC deployment grows, the DNS can also become a foundation for other protocols that require a way to store data securely".
Deploying security protection such as DNSSEC is required as when the DNS was developed, the idea of security, or even the size or importance of the DNS, was never countenanced. Hence there was not any built-in security, confidentiality or authentication. There was also no mechanism to assure that an answer received was legitimate and actually corresponded to the question asked. That is, a question asked requesting a domain name, and the response given to that answer.
While the flaws were discovered around 1990, little was done until internet security researcher Dan Kaminsky, who died aged 42 in late April 2021, discovered a serious design shortcoming in the DNS protocol. This allowed attackers to launch cache poisoning attacks against the lookup side of the DNS, prompting renewed attempts by the DNS technical community at getting more DNSSEC deployment, and in particular, at getting the root of the DNS signed. As the New York Times noted in their obituary for Kaminsky, “if you are reading this obituary online, you owe your digital safety to him.” Likewise for this article and anything else online.
Two years later the root zone was signed for the first time by ICANN then in 2018 the root zone’s key signing key was successfully updated for the first time, representing a significant milestone for DNSSEC. This was followed by a series of international DNS hijacking campaigns in 2018 and 2019 leading to the first-ever Emergency Directive by the United States Cybersecurity and Infrastructure Security Agency (US-CERT), and prompted ICANN to renew its call for all DNS stakeholders to fully deploy DNSSEC.
Going forward ICANN will continue to encourage those ccTLDs that have not DNSSEC-signed to their zones to do so, and will encourage operators of DNS resolvers, which check DNSSEC signatures to verify the data has not been modified, to enable DNSSEC validation.