DNSSEC and Identity


DNS Security Extension, or DNSSEC, is a set of extensions to DNS, which provide end-to-end authenticity and integrity. In an article in the Business Standard, Paul Mockapetris, the inventor of DNS talks about DNSSEC and why he thinks its the answer to many of the identity problems on the Internet. Quoting from the article:

Mockapetris argues that a work-in-progress extension to the DNS specification called DNSSEC is what makes the DNS up to the task of solving most of the identity related issues on the Internet. Unfortunately, since DNSSEC isn't bulletproof (and, according to some, could result in other vulnerabilities), the specification has been a work-in-progress since November 1993, when the DNS working group of the Internet Engineering Task Force (IETF) held its first DNSSEC design meeting. Despite the imperfections of DNSSEC, Mockapetris says that it's time to go for it. "The DNS has been growing for twenty years, but during that time, no progress has been made on securing it.

Paul claims that the problem is that the committee is trying to solve and problem perfectly rather than doing what can be done now. He's got a point. I think part of the problem with UDDI is that its tried to solve too many problems when 90% of what we want is a DNS-like mechanism for Web services.

The basic idea behind DNSSEC is simple: provide an authentication mechanism for DNS lookup so that its harder (not impossible) to forge DNS information. That means that you be be relatively certain that the email that claims to have come from windley.org actually did, or that the HTTP request you're processing is actually from your partner at myco.com and not an imposter.

In theory, the implementation is fairly straightforward. Again quoting from the article:

The technology behind these confidence checks uses digital signatures and public key cryptography. For starters, DNSSEC involves the use of secure hash algorithms for the digital signing of the records - called RRSets - that appear in the DNS database. Using its private key, the site could digitally sign the domain mapping information that appears in the DNS and any application that depends on that information could retrieve the matching public key from a special key record (part of the DNSSEC specification) under the DNS entry. Using the public key, the application can verify that the domain mapping information was signed with the private key, which presumably only the website has.

One of the hard problems of DNSSEC is political, not technical (no surprise there). DNS is hierarchical, which means that the security will have a trust pyramid. Someone has to sit on top of the trust pyramid and whoever does is in the catbird seat. Naturally, companies like Verisign are lining up to fill that role.

Even with the holes and problems, DNSSEC would fill a need and solve many problems that we grapple with in the area of security and identity. I agree with Paul. Its time to move forward.