An Authenticated Internet
Discussions around DNSSEC are so often focused on the root, the attacks, what DNSSEC does and doesn’t do and so on – and these are all valid and important points. But there is far less attention focused on the opportunities that will surface from an authenticated internet.
Before I jump into the opportunities, first let’s go through some DNS basics.
At the heart of the Internet’s web service is the domain naming system, referred to as the “DNS”. The domain naming system or DNS is like a phone book. Working with that analogy, let’s say you decide that you want to call “Lauren’s Lollipop Shop", but you don't know the number. You grab the phone book and, using the name, you get the phone number, and then you make the call.
The DNS works in much the same way. You know the name of website “lollipopshop.org", but you don't know the "number" (in computer-speak, this would be the IP address). When you type in www.lollipopshop.org, the phone book (the DNS) provides the lookup, and then your computer "dials the number" by going to the website. The current problem with the DNS is that when it looks up a “number” for you, a group of bad guys can insert a different phone number into the phone book, one which pretends to be “Lauren’s Lollipop Shop”. When the bad guys answer the phone you assume it's the lollipop shop and give your critical information, such as your credit card information, to order 10,000 lollipops.
DNSSEC is a security measure that can help mitigate this risk known as domain hijacking also known as man in the middle attacks. DNSSEC digitally signs answers to DNS lookups using public-key cryptography. With DNSSEC in place, the bad guys can’t lead you astray, because you won't be misdirected by them.
Now let’s ask ourselves, what opportunities can surface when DNSSEC is deployed industry wide? DNSSEC is becoming more of a reality now -- rather than a technical discussion which has been stuck in the mud for 15 years. We can now begin to think about new opportunities to build from a secure DNS, opportunities that build on the certainty that you have arrived at the correct website. Today, you can’t be sure. Will you be able to fully trust SSL and VPNs?
Today, they cannot be trusted with certainty. SSL and VPN are past the point - they check to make sure that the website is real once you've already gotten there. DNSSEC ensures you get to the right place. Let’s look at some opportunities for the technologies we use today:
- SSL There are standards for storing certificates in the DNS. With DNSSEC it would be possible to put these certificates in the DNS and to facilitate validating them by looking up other certificates in the certification path in the DNS. This could simplify maintenance of certificates from a user point of view since you would no longer need your local certificate cache, although it would place greater reliance on a robust and secure DNS.
- VPN It has long been noted that with DNSSEC it would be possible to setup VPN systems where encrypted tunnels could be setup as needed. Multiple options exist for storing the security parameters needed for a VPN to a site in the DNS at the domain name for the site. With DNSSEC a user could have high confidence in the security parameters and use them to setup an encrypted tunnel with the site.
- Email Forged email messages? DNSSEC can be used to authenticate email accounts. It can help each of the protocols that are using the DNS to support their efforts to add security to email by ensuring authentic information from the DNS is available to them. These include DKIM, SPF, and others. Email is probably the most common attack vector so by authenticating where the email came from makes this method of attack much more difficult. DNSSEC will make it possible to build email systems that confirm that email really is from the sender it purports to be from. Perhaps this will be another tool that developers will leverage in the mitigation of spam and email phishing attacks.
- VoIP Thinking outside the box here and in terms of ENUM, imagine if every VoIP user had a domain name. Using the DNS, one could lookup the phone number(s) of that user. With those phone number(s) one could lookup the IP address of the VoIP phone for that number. With DNSSEC each of these lookups would be guaranteed to be correct, and thus you would know you are contacting the person that you looked up. Of course there's more work to be done on the details of such a system, but you get the idea.
What are all the real world applications that can benefit?
Ideas that come to mind are: healthcare records online; trusted online financial transactions; more efficient ways to communicate and conduct commerce, government and social interactions. What new applications can be built with this new landscape? Are there cost savings on the horizon which would curtail our current mind-boggling spend on online security? What else?
Considering the enormous amounts of private and critical data that is kept online, you want to be 100% certain of who is at the “other end of the line” – or in between for that matter. Today you cannot be certain, but with DNSSEC, you can gain a better level of trust. Let’s now focus on the opportunities and the new wave of secure applications that can be built on an authenticated internet and a stronger more reliable DNS.