In light of the recent DNS hijacking attacks, the Internet Corporation for Assigned Names and Numbers (ICANN) is urging domain owners and DNS services to implement DNSSEC post-haste.
“Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected,” the organization noted.
What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a set of security protocols that add security to the fundamentally vulnerabile Domain Name System (DNS).
DNSSEC adds cryptographic signatures to existing domain DNS records, to assure their validity and make it impossible for attackers to modify DNS entries, i.e., replace the addresses of intended servers with addresses of machines controlled by them.
DNSSEC can also make sure that communications between applications and organizations via SSL and VPN are trustworthy.
But even though DNSSEC has been available for over two decades, various obstacles have resulted in limited deployment (under 20% worldwide).
Why is it important?
“ICANN has long recognized the importance of DNSSEC and is calling for full deployment of the technology across all domains. Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination by helping to prevent so-called “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site,” the organization explained.
ICANN’s appeal comes in the wake of the most recent attacks against key parts of the DNS infrastructure, some of which took the form of MitM intercepts.
“As one of many entities engaged in the decentralized management of the Internet, ICANN is specifically responsible for coordinating the top-most level of the DNS to ensure its stable and secure operation and universal resolvability,” the organization noted.
They are also asking all members of the domain name system ecosystem to work together to produce better tools and policies to secure the DNS and other critical operations of the Internet.