January 18, 2012, 4:33 PM — Will 2012 be the year when U.S. retailers, banks and content providers finally bolster their DNS systems with an add-on security measure that prevents Web site spoofing? That's what advocates of the security measure - dubbed DNSSEC for DNS Security Extensions - are hoping will occur.
Cybersecurity experts are urging IT departments to invest in DNSSEC now - before a high-profile attack occurs that could have been prevented by readily available DNSSEC-compliant appliances, software and services.
Already, the new year has brought one major DNSSEC announcement: Comcast said last week that it was the first ISP in North America to provide resolution services for DNSSEC queries.
RELATED: Sandia Labs touts DNSSEC tool
At issue is whether the Comcast announcement will spark action by rival ISPs, Web site operators, enterprises and software developers to invest in readily available solutions to a gaping problem in the DNS.
"We're at the early stages of DNSSEC deployment," admits Matt Larson, vice president of DNS Research at Verisign, which operates the .com, .net and .gov domains that all support this emerging security standard. "DNSSEC is not on anybody's radar screen yet...There has not been a security event that people have seen that has spurred on adoption."
"We believe DNS security will become more important in the coming year," says Richard Jimmerson, director of the Internet Society's new online resource Deploy360 that provides practical information about deploying DNSSEC. "If you're serving up information on the Web, you want to make sure that your customer, client or visitor is getting what you intended. We see more examples of fraudulent commerce and hijacking of content. This is becoming much more of a problem."
What is DNSSEC?
DNSSEC solves what's called the Kaminsky vulnerability, a fundamental flaw in the DNS that was disclosed in 2008. This flaw makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing.
DNSSEC prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.