DNSSEC being rolled out May 5th - Internet will live on

DNSSEC is an addition to the widely used DNS protocol, which computers all over the world use to resolve host names into IP addresses, in order to easily locate other computers across local networks and the internet. DNSSEC is an extra layer of security that prevents DNS cache poisoning, and man-in-the-middle attacks.

Such attacks provide an easy way for malicious internet users to redirect victims from their intended website, to one of their choosing, and as the redirection is done at the IP address level, there is no way to tell from the browser that your session has been redirected. (Aside from SSL connections, which require a signed certificate).

DNSSEC works by signing the DNS records on the authoritative nameserver, and publishing the public part of the signing key in a special record in the zone. This can then be queried by clients and used to verify that the response they received actually came from a nameserver with authority to respond for that zone.

A number of DNS servers on the internet have already implemented DNSSEC, but as of May 5th, all 13 root servers will have zone signing enabled. Root DNS servers exist at the top of the hierarchy, and are used to resolve top-level domains such as .com and .net. This is an important step forwards as this ensures that the trust of the nameserver responding to your request can be verified right up to the root of the DNS system, allowing users to be confident that the response they received is not malicious.

A number of websites have reported today that due to changes made to support DNSSEC, older clients will be unable to process the extended responses, thus effectively rendering DNS unusable, and "Breaking the Internet". This is due to the size of the response required to contain the additional information required, which may be sent in TCP packets, rather than UDP packets as the original protocol prefers. This is in fact, not the case, old clients will have no issues once the upgrade is complete.

The DNSSEC protocol is an addition to the existing DNS protocol, and not a replacement. In order for clients to receive the signed responses, along with the information required to verify the reply, clients must explicitly set a "DO" flag in the query they send to the resolver. If this flag is not set, the resolver will return a response in the standard, pre-DNSSEC format.

Old clients, which are unable to handle the DNSSEC extensions will not set this flag in outgoing requests, and thus will have no issues reading the reply they receive. Equally, if a client that does support DNSSEC queries a server which does not, the response will be returned in the standard format, and no record will be found at the parent nameserver indicating that a signed response should have been received.

Report a problem with article
Previous Story

Flash 10.1 Android beta coming at Google I/O; Froyo too?

Next Story

InstantAction launches browser-based gaming platform

26 Comments

Commenting is disabled on this article.

Oh yay now i can look forward to 300ms+ to the US now instead of 200~250ms way to go guys i thought internet gaming was sucky before well now it's going to absolutely be impossible

bjoswald said,
So will this make page loads slower?

Noone can say a 100% answer to this until it happens even though it should not.

bjoswald said,
So will this make page loads slower?

yes, the longer it takes to resolve an IP address, the longer it takes to start loading a page.

I used to run a local DNS caching server, and the difference was astonishing. Pages went from taking many seconds to load, to loading instantly.

dvb2000 said,

yes, the longer it takes to resolve an IP address, the longer it takes to start loading a page.

I used to run a local DNS caching server, and the difference was astonishing. Pages went from taking many seconds to load, to loading instantly.

At least on the initial query the additional overhead comes into play and it will likely cause some delay in rendering the pages. Once the information is cached, things should be back to normal speeds.
Doubtful that your regular @home internet user will notice much of that impact, so we'll have to wait for another day to see "the Internet" break. Until then, I'm with ipodman715 ... now where are those margaritas ...

Glad to see added level of protection in all cases around the Internet. I wasn't fully aware of the DNS redirection issue, but does seem like it's easy to pull off and trick users online for their bank information.

As there is likely more dated servers out there than new ones (say within the last 2-3 years), not being upgradable would cause for a massive scramble around the Internet.. Good to see the upgrade won't break the Internet

jingarelho said,
so whats kind of changes must one make if it runing a dns server?

There are no changes you HAVE to make, if you decide you wish to setup DNSSEC for your zones however, the process isn't too complicated:

1. Generate zone signing and key signing keys
2. Publish the public portions of the keys in your zone
3. Sign the zone

Exact instructions for doing this (commands to run etc) obviously vary depending on what software you use, but a quick google usually turns up a helpful guide.

So the new dns uses TCP (which adds overhead) and sends a security key. I'm wondering what kind of overhead this is going to add overall.

devn00b said,
So the new dns uses TCP (which adds overhead) and sends a security key. I'm wondering what kind of overhead this is going to add overall.

I thought it only used TCP if your local system blocked the 512 byte packet that the original DNS used.. if it fails to recieve the 512 byte packet, then it would failback to TCP... at least thats what I read recently

devn00b said,
I'm wondering what kind of overhead this is going to add overall.

According to Winterford, 2010 at itnews.com.au, "all DNSSEC signature-laden messages sent back to a user's DNS resolver will be four times the size - some 2 KB - and potentially will be sent in multiple packets via the TCP protocol."

So typing "google" into Google isn't the only way to break the internetz...

oh no, sounds like some "committee" sat for 3 years, wasted $3m and came up with some new protocol that introduces 3x more traffic and higher latency for DNS queries.

All for a "non-existent", non-problem.

dvb2000 said,
oh no, sounds like some "committee" sat for 3 years, wasted $3m and came up with some new protocol that introduces 3x more traffic and higher latency for DNS queries.

All for a "non-existent", non-problem.


Oh so the ability for bad guys to poison DNS caches is a "non-problem". Try again.

SharpGreen said,

Oh so the ability for bad guys to poison DNS caches is a "non-problem". Try again.

Certainly, in all the years I've used the internet, its never been a problem for me. Just a case of a few "academics" trying to make a name for themselves, fixing a non-existent problem.

Anyone smart enough to "poison" DNS cache's will certainly be smart enough to trick a DNS query into thinking his reply is valid because the DNS server being queried dos not support this new DNSSEC standard and is supplying a legacy reply.

dvb2000 said,

Certainly, in all the years I've used the internet, its never been a problem for me. Just a case of a few "academics" trying to make a name for themselves, fixing a non-existent problem.

Anyone smart enough to "poison" DNS cache's will certainly be smart enough to trick a DNS query into thinking his reply is valid because the DNS server being queried dos not support this new DNSSEC standard and is supplying a legacy reply.

And in the all the years I've used the internet I've never gotten a trojan / virus. So using your logic, trojans and viruses don't exist.

/- Razorfold said,

And in the all the years I've used the internet I've never gotten a trojan / virus. So using your logic, trojans and viruses don't exist.

Indeed, DNS Poison exist.

but.. it is rare and require the sum of several factor, including a unpatched dns server.