Internet Performance Delivered right to your inbox

You May Have 99 DNS Problems, But DNSSEC Shouldn’t Be One

DNS is core Internet Infrastructure.

On the back of this core infrastructure protocol, companies like Dyn have employed the ability to design, construct, and deploy a series of proprietary advanced services (service failover, load balancing, real time traffic management, and geographic management) that allow users to better serve their consumers.

The DNS protocol was designed when the Internet was a friendly neighborhood of like-minded researchers.

Everyone on the Internet knew each other, and you could actually get a list (on paper!) of who could connect to the Internet. In that environment, fraudulent answers were not expected to be a problem, so DNS wasn’t designed to prevent them.

When the Internet grew up, bad guys showed up. These bad actors would try to hijack Internet connections by giving out wrong answers to DNS queries. Since there was no lie detector in the DNS, an end user had no way to tell whether the answer received was the real one, or a fake one from a malefactor.

In other words, DNSSEC is the lie detector for the DNS.

Introducing DNSSEC (DNS Security Extensions)

Enterprise architectures are limited to enterprise charters for DNSSEC deployment because it requires significantly specialized skills to run an IP Anycast network. This can result in a lack of highly available advanced feature assets for a DNSSEC user due to the amount of credentials and advanced options required to properly maintain the configuration.

Adding DNSSEC to the DNS makes what used to be a pretty simple service into something much more complicated. Traditionally, DNS is “set and forget”; once you have set up your zones and have your network running like you want, you don’t need to touch the DNS until you make network changes. But DNSSEC, to be effective, has to prevent answers from being re-used when they shouldn’t be: it has to prevent replay attacks. This introduces the requirement for maintenance just to keep running. Zones need to be re-signed. Key maintenance policies are needed.

A delicate balance is needed between the TTL and signatures, so that signatures that are expired do not linger in caches on the Internet. Failure to do any of these means that perfectly good DNS data will be treated as though it is a lie and discarded. You can accidentally take yourself off the Internet with DNSSEC.

Also, because DNSSEC takes additional resources, protecting users of your domain name can expose you to denial of service attacks. DNSSEC may reveal that a once-adequate, medium-sized enterprise network that hosted DNS servers is inadequate to handle the increased loads. Enterprise staff, who were perfectly capable of dealing with the old “set and forget” plain DNS, may find themselves made busy and frustrated by a system that needs more maintenance and causes higher bandwidth use.

These issues may be relieved by turning to specialist services that offer automatic handling of the maintenance of DNSSEC and that have purpose-built, high availability Anycast DNS networks. These are designed specially to ensure that the DNS servers aren’t overwhelmed by attacks and that attacks that do arrive are absorbed with no harm to the DNS zones on the servers.

(Many thanks to Andrew Sullivan, Tim Chadwick, and Ryan Brickett for all their help on this post!)

Share Now

Whois: Mikel Steadman

Mikel Steadman was the Director of Sales and Solutions Engineering at Oracle Dyn, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.