Domain Name System Security Extension Technology - Term Paper Example

? Domain System Security Extension (DNSSEC) Technology Domain System Security Extension (DNSSEC) technology Introduction The world has experienced rapid technological advancements over the last few decades. Rogers (2003) observed that the technological advancement has resulted in the emergence of the Internet, which has changed the way people interact both at the private and business levels. The Internet’s several application and communication services have become exceedingly crucial in the present world. Statistics show that the Internet usage has more than doubled over the last five years. However, research indicates that a majority of Internet users tend to assume that the transfer of data on the Internet is safe, reliable and is not at risk of forgery or hacking. Yang et al. (2012) argues that most Internet processes and services depend on data relayed by the Domain Name System (DNS) through excellent functioning and accurate mapping of domain names that can be understood easily using the IP addresses. Nevertheless, the DNS, which is mainly relied on for this function, does not provide any content protection. This implies that data remains unsecured against any manipulation when being relayed or while in the servers and caches. As a result, identification and avoidance of forged data becomes impossible. It is at this point that the Domain Name System Security Extensions (DNSSEC) becomes useful. DNSSEC, according to Yang et al. (2012) is a technology developed for the purposes of protecting data against attacks by digital ‘signing’ so as to provide assurance of its validity to the user. It authenticates the source data by ensuring that the path between the DNS servers and the validating DNS client are secured. The technology has proved remarkably effective in protecting Internet data from forgery, something that DNS has failed to provide. This paper will start by describing the DNSSEC technology in light of what it means and how it works. This will be followed by a SWOT analysis of the technology. The paper will then evaluate the current ethical and legal issues surrounding DNSSEC technology. The essay will also explore the improvements that have occurred over the last two years to DNSSEC technology and provide a suggestion on the improvements warranted on its current usage. Finally, the paper will predict the future role of DNSSEC for both personal and commercial use. It is an acknowledged fact that the Internet has revolutionized the world. Currently most parts of the world have Internet connectivity including the remotest regions, thanks to the recent technological advancements, according to Osterweil et al. (2011). Normally, for one to reach another person on the Internet, he, or she must type the recipient’s address on the computer or Internet-enabled phones. The address is usually unique to the individual, making it easy for computers to find each other. The unique identifiers are normally coordinated worldwide using the ICANN. Coordination of the identifiers is very crucial because, without it, the entire world would have a single global Internet, suggests Osterweil et al. (2011). When typing an address, it must first be translated into several systems before the final connection can be established. The translation of the address is performed by the DNS, which does the work of translating addresses such as www.google.com into Internet Protocol (IP) addresses. After the completion of the translation, ICANN then ensures that the addressing system is coordinated so as to ensure peculiarity of addresses. However, recent findings showed that DNS is extremely vulnerable and allows attackers to forge this process of searching for someone or site on the Internet using their address. The attacks are mainly committed in order to take charge of the session such as directing the user to the hijacker’s own deceptive website for a password and account collection. The vulnerability of the DNS has prompted the establishment of the DNSSEC technology to provide the necessary protection to this part of the Internet’s infrastructure, according to Osterweil, Massey, and Zhang (2007). The DNSSEC assists in ensuring that only the IP address kept for lookup domain name is taken back to the enquirer. For example, when one types the domain name of say an online-shopping portal, the DNSSEC protocol, ensures that the computer or the phone establishes a connects to the shops stored and published IP address for the authentication of the web server of the online-shopping portal. In so doing, DNNSEC makes it impossible for all third parties to insert an IP address, which has been forged, that might be bogus to the online-shipping portal, notes Osterweil, Massey, and Zhang (2007). The falsification of IP address in such a manner is what is referred to as cache poisoning, and the DNNSEC provides an effective protection against in the Internet. It is, however, worth pointing out that DNSSEC does not inform about the accuracy of the initial data. This implies that the technology is incapable of establishing whether the original data input is harmless or correct. How DNSSEC technology works Normally, when data packets are relayed over the Internet, DNS ensures that there is a linkage of the web address with the IP addresses and the route-traffic to the intended destination. Because of the incapability of DNS in providing data authentication mechanism in the name servers, corrupt or forged data in a name server can direct traffic to an intended server. This is one of the weaknesses that malicious people normally employ top their advantage. DNSSEC corrects this weakness through the addition of digital signatures that guarantee the accuracy of lookup data, thereby ensuring that computers and Internet-enabled phones connect only to legitimate servers. The DNSSEC technology does this using a series of encryption keys that are handed off and authenticated. In this regard, the second-level domain (SLD) key from, for example, .org is authenticated by the TLD (.org) while the root authenticates the TLD key (Arends et al., 2005). In order to produce a digital signature, a pair comprising private and public keys is built. Of the two, the private key, according to experts is confidential, therefore, only the owner knows it, unless leaked to third parties. The public key, on the other hand, is normally published on the DNS where it can assist in verification and validation of a signature that happened to have been assigned by the private key. Experts suggest that users must trust the public key in order to be able to use this process. The building of the trust requires the application of the so-called the chain of trust based on a hierarchy of specific keys. This is required to enable effective verification of all signatures using a single key (Arends et al., 2005). Zone file Administrator scp Open DNSSEC Write to disk Nsd1 Notify AXFR Nsd2 Authoritative DNS query Resolver Recursive DNS query Recursive DNS query User OpenDNSSEC architecture SWOT analysis of DNSSEC technology The purpose of the SWOT analysis is to analyze the strengths, weaknesses, opportunities, and threats associated with the deployment of the DNSSEC. Strengths Hackers have increased significantly over the past few years putting the security of data at high risk. Hacking has been made easy due to the security weaknesses of the DNS. It has come out that the name servers do not normally have to rely on the IP address every time a site visited frequently is accessed, which enhances the end users’ experience. In case hackers manage to insert illegitimate IP address into a cache, all those who are using the name server are directed to the wrong site until the expiry of the cache or after refreshment. Corrupting DNS operations in this manner is capable of creating all manner of fraud and malicious activities. However, such fraud can easily be prevented using DNSSEC technology, which has the capacity to enhance the trustworthiness and the usefulness of the Internet. This is a major advantage associated with the deployment of this technology (Fetzer and Jim, 2004). The other key strength associated with the DNSSEC technology pertains to the cost element. The deployment of DNSSEC validation is said to be very low in terms of cost. Fetzer and Jim (2004) claim that the implementation of the technology requires very little in terms of hardware and software. In addition, its implementation requires a small investment in time for the system administration department. Findings show that experienced system administrators can complete the deployment of the DNSSEC technology in just a week. This is a major strength associated with the technology making it preferable for implementation to other competing technologies. Weaknesses Like any other technology, the implementation of DNSSEC technology is marred by many challenges. Firstly, the implementation of the technology requires an enormous amount of work across every quarter of the Internet. Experts argue that singing the TLD and the root are just but a tip of the iceberg. The second major weakness of DNSSEC, according to Arends et al., (2005), is the fact that addition of encryption keys to the Internet lookups brings many logistical challenges associated with managing the keys like how to update periodically keys without necessarily breaking the way name servers work and how to incorporate the differing protocols and keys of different TLDs. Since name server is still evolving to support the DNSSEC, many firms will still have to update DNS software while the hardware upgrade may also be needed. Additionally, DNSSEC can easily degrade the Internet lookup speed, which may result in a slower experience for the end users, according to Arends et al., (2005). This is a major weakness as far as the application of the technology is concerned. The implementation of the technology is also marred by a myriad of policy challenges that must be resolved first at the international level. The move to implement the DNSSEC technology for the root has renewed a longstanding argument regarding where the Internet control resides. Such debates have negatively affected the full deployment of the technology. The other main weakness associated with the technology, according to York (2012), is the fact that applications are not DNSSEC-aware. York (2012) claims that, from the end-user point of view, the problem with DNSSSEC is that only few end-user applications are presently using DNSSSEC. Despite there being several DNSSEC-related tools for network administration, only a few options are available for regular users on a computer. Opportunities The deployment of the DNSSEC technology offers a great opportunity for those operating their own DNS servers. This is because there are plenty of documentation regarding how configure DNSSEC for any DNS server being used. Additionally, sites like the DNSSEC-Tools project (16) are also in existence that provides tools that help in the process and software like OpenDNSSEC (17) capable of automating a significant portion of the process (Daley, 2011). The other significant opportunity in the deployment of DNSSEC is that the market demand for the deployment of the technology is growing exceptionally fast. The increase in demand for Internet security has increased over the past few years due to the increased threat of hacking by malicious people. As a result, companies and individuals are increasingly implementing the DNSSEC technology to protect their Internet contents from hacking and forgery, according to Schwartzberg (2013). Threats The DNSSEC technology is under serious threat from other emerging technologies. Currently the DNSSEC is facing stiff competition from Secure Socket Layer (SSL), which has also proved as a good protocol for authenticating and encrypting network communication. York (2012) argues that SSL protocol provides some high-level validation for address gotten from DNS for a particular host. In this regard, like DNSSEC, the SSLK informs the user that the trusted CA believes that the host reached is indeed associated with the hostname. This is one advantage it has over DNSSEC making it receive much demand compared to the DNSSEC. In addition, unlike, DNSSEC, SSL provides encryption and authentication, which are suitable for applications such as online banking and shopping. This makes SSL market penetration stronger than DNSSEC. Other advantages that SSL has over DNSSEC include the fact that SSL protocol is mature; has a strong brand awareness; has a business model, and is entrenched, notes York (2012). Other DNSSEC competitors that pose a serious threat to the technology include the several public key infrastructure (KPI) efforts such as the XKMS (7). It is worth noting that, even though KPIs does not secure DNS data, they provide additional services valued very much by consumers. KPIs rely on existing DNS protocol to obtain network addresses and perform additional checks to ensure that the right party is attached. This makes it a formidable competitor of DNSSEC, which has indeed affected the demand for the DNSSEC application (Arends et al., 2005). The current ethical and legal issues surrounding DNSSEC As Internet connectivity continues to grow, a number of ethical and legal issues tend to arise. This has particularly been witnessed in the area of Internet security. Ethics in this case pertains to the moral principles that deal with values relating to human conduct regarding the rightness or wrongness of a given action (Azari, 2012). In the area of DNSSEC, some ethical questions have arisen regarding how ethical the deployment of the technology is to the users. In this regard, there are those who believe that it is unethical to control the applicability of DNS protocol through deployment of DNSSEC (Azari, 2012). However, the implementation of the technology should be embraced since it guards against malicious attacks on the Internet, which is beneficial for users and the society at large. Improvements that have occurred over the last two years to DNSSEC technology The improvements that have been made to the DNSSEC over the last two years have been those aimed at supporting the security capabilities of DNSSEC. In this regard, several new DNS Resource Records (RRs) have been developed to support the new security capability of the technology. The new records allow mapping of peculiarly identified host names into IP addresses possible. The new RRs that have been created to enhance the security of DNSSEC in the recent past include the KEY RR, which is used DNS RRSet signature verification, SIG RR used for RRSet storage; NXT RR used to in cryptographically SERT RRSet nonexistence and CERT RR used to provide public key certificate both within and outside DNS (Ayoub, 2012). Improvements that need to be made for the effective deployment of the technology Guidance documents will have to be updated as new RR type and protocol extensions are created to back up different applications such as Web surfing and emails. This is based on the fact that most of this documentation was made long before the widespread development of DNSSEC, observed Yang et al., (2012). For instance, there is a need to update the NIST Special Publication documents on securing application servers such as the emails, and Web to include guidance on the new features of DNSSEC to support a particular application protocol. Guidance and documentation on how to use DNSSEC in the application is also required to assist application developers who still do not understand the new level of service DNSSEC and DNS enables. In addition, to benefit fully from the DNSSEC, I recommend the following improvements to be made. Firstly, DNSSEC validation needs to be supported on the DNS resolution services. Secondly, DNSSEC should be deployed on the domain name. Lastly, people need to be told of the benefits and trustworthiness of DNSSEC technology in maintenance of the security of Internet applications. Doing this will help draw many people to the technology which is already facing stiff competition from other protocols such as the SSL and KPI, according to Yang et al. (2012). The possible future role of DNSSEC. As we have seen, DNSSEC provides many security benefits to the Internet. Many Internet veterans see DNSSEC technology as a platform for innovation for a wide range of Internet security solutions, which includes emails, Web, and digital certificates. It is likely that DNSSEC will soon become a vital link for a wide range of industry applications, according to Shinkuro Inc (2013). In this regard, apart from just authenticating data to prevent malicious attacks, DNSSEC might soon be used to guard against viruses, which pose a huge threat to the Internet applications. Commercially, DNSSEC might be used to track illegal activities in the computer as deterrence to unauthorized entry. Conclusion The Internet has truly revolutionized the world than ever before. Today, billions of users depend on the Internet as a key public infrastructure. Even though it has been effective since its invention, some of its key components were not securely designed to handle the crucial and sensitive nature of information being relayed across it presently. Currently, DNSSEC addresses some of the security problems inherent in DNS and provides a foundation for the era of hyper-connectedness that we have just entered. Certainly, the deployment of DNSSEC increases the security of the Internet, as well as those of users of ISP services, which will ultimately enhance services to end-user and ensure a more secure and reliable network into the future. References Arends, R., Austein, R., Larson, M., Massey, D., & Rose, S. (2005). Protocol modifications for the DNS security extensions. RFC 4035. Ayoub, R. (2012). How Internet service providers can use DNSSEC to provide security for customers. A Frost & Sullivan White Paper. Pp. 1-13. Azari, R. (2012). Current security management and ethical issues of information technology. New York, NY: Idea Group Inc (IGI). Daley, J. (2011). “Why you need DNSSEC.” Newsline. Retrieved from http://www.iitp.org.nz/newsletter/article/141. Fetzer, C., & Jim, T. (2004). Incentives and disincentives for DNSSEC deployment. Pp. 1-8. Osterweil, E., Massey, D., Ryan, M., & Zhang, M. (2011). Quantifying the operational status of the DNSSEC deployment. Colorado State University. Osterweil, E., Massey, D., & Zhang, L. (2007). Observations from the DNSSEC deployment. In the 3rd workshop on Secure Network Protocols (NPSec). Rogers, E.M. (2003). Diffusion of innovations. New York, NY: Free Press. Schwartzberg, D. (2013). “Canada Joins the DNSSEC party.” Retrieved from http://www.darkreading.com/sophoslabs-insights/canada-joins-the-dnssec-party/240147786. Shinkuro Inc. (2013). DNSSEC Roadmap. Department of Homeland Security DNSSEC Deployment Initiative. Version 21. Pp. 1-50. Yang, H., Osterweil, E., Massey, D., Lu, S., & Zhang, L. (2012). Deploying cryptography in Internet-scale systems: A case study on DNSSEC. Colorado State University. York, D. (2012). Challenges and opportunities in deploying DNSSEC. A progress report on an investigation into DNSSEC deployment. Internet Society, pp. 1-6. Read More