DNSSEC – What Is It and Why Is It Important?

To have access to the services and products and information of companies and individuals on the Internet, you require the unique domain name of that entity/individual. On the Internet, you have to type an address into your computer – a name or a number. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like www.icann.org into the numbers – called Internet Protocol (IP) addresses.  The Internet Corporation of Assigned Names and Numbers (ICANN) has the responsibility to ensure the uniqueness of these identifiers across the world. Without that coordination, one global Internet cannot exist. ICANN ensures that all the addresses are unique.

The DNS translates domain names that humans can remember into the numbers used by computers to look up its destination (a little like a phone book is used to look-up a phone number). It does this in stages. The first place it ‘looks’ is the top level of the directory service – or “root zone”. So to use www.nira.org.ng as an example, your computer ‘asks’ the root zone directory (or top level)  “.”  where to find information on “.ng”. After it gets a response, it then asks the “.ng” directory service identified by the root where to find information on “.org.ng”  (the second level). At the third level, it looks for nira.org.ng and finally asking the nira.org.ng directory service identified by “.ng” what the address for www.nira.org.ng is (the third level). This process is very fast and looks as if it is almost instantaneous – the full address is provided to your computer.

 As a result of recent discovered vulnerabilities in the DNS combined with other technological advances, it became necessary to “digitally sign” the root zone which have greatly reduced the time it takes an attacker to hijack any of the steps in the DNS lookup process and thereby take over control of a lookup session to, for example, direct users to some deceptive Websites for stealing account and password information. The effective long-term solution to this vulnerability is the end-to-end-deployment of a security protocol called DNS Security Extensions – or DNSSEC.

DNSSEC is a technology that was developed to, among other things, protect against hijacks and other attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to the final domain name (e.g., www.nira.org.ng). Signing the root (deploying DNSSEC on the root zone) is a necessary step in the overall process. Importantly, it does not encrypt data but simply attests to the validity of the address of the site being visited.

Full deployment of DNSSEC will ensure that the end user is connecting to the actual website or other service corresponding to a particular domain name. Although this will not solve all the security problems currently existing on the Internet, it does protect a critical piece of part of the Internet – the directory lookup – complementing other technologies such as SSL (https:) that protects the “conversation”, and provide a platform for yet to be developed security improvements.


Comments are closed.