DNSSEC is the Key to a Healthy Future for the Internet

The future of internet connectivity could diverge into two very different outcomes—aggressive monopolization by a few providers or a more diverse landscape that fosters innovation. The latter possibility is the better outcome, but it will require improved security to ensure that every entity can connect to each other safely. And one key to making this happen lies in the domain name system (DNS) technology that underpins everything we do online—specifically, modern DNS security extensions (DNSSEC). Let’s review why the internet is at a turning point, why DNSSEC is so important and how challenges commonly associated with DNSSEC are being resolved.

The Future of Internet Connectivity

In recent years, we have seen a small number of internet service providers and content delivery networks handle a substantial portion of online connectivity. It’s simple to set up a secure, encrypted connection among a small number of large companies, but the dominance of these entities comes at a cost. Without alternatives, consumers and enterprises alike are at the mercy of whatever pricing their provider establishes and a lack of competition stifles innovation in the field. We are much more likely to see a stream of new and exciting technologies if internet connectivity relies on a vibrant ecosystem of companies, nonprofit organizations and open source projects.

Why DNSSEC Keeps a Diverse Internet Safe

Since DNS plays such a fundamental role in connecting all aspects of IT infrastructure, applications and online services, it’s a persistent target for malicious actors. Unfortunately, standard DNS was not built with security in mind; DNS requests are vulnerable to interception, and the sender cannot verify whether the IP addresses and other information that they receive are legitimate or lead to a fraudulent site. Applications can effectively vanish from the internet or domain names may be hijacked to pull in phishing victims.

This liability is why DNSSEC is so important. It leverages cryptographically signed DNS records to assure the initial sender of the DNS query that the returned IP address did, in fact, come from the intended target. Despite its clear value, adoption has been slow for a few reasons.

Overcoming Obstacles to DNSSEC Adoption

Many modern companies rely on DNS to steer traffic dynamically, accounting for fluctuations in infrastructure uptime to send users to the servers best equipped to handle more traffic. Unfortunately, the most common form of DNSSEC is offline signing, which completes the cryptographic signing process before a DNS request comes in. This is incompatible with modern forms of traffic steering, which demand context-driven real-time DNS responses. Also, DNSSEC has historically been unable to reconcile advanced, non-standardized DNS technology from multiple vendors. These shortcomings have forced providers to choose either DNSSEC or traffic steering across multiple DNS providers—and many have ultimately prioritized functionality and flexibility over DNSSEC.

Assuming the internet does become more diverse, there will be many entities fielding DNS traffic that cannot be trusted automatically. The good news is that common impediments to DNSSEC are no longer insurmountable. Modern DNSSEC providers have found ways to sign DNS responses “on the fly” to fully support real-time traffic steering. Moreover, providers are embracing an emerging “multi-signer DNSSEC” open standard from the Internet Engineering Task Force that can support multiple DNS providers without compromising DNSSEC. This will allow a broader range of companies to play a fundamental role in internet connectivity without sacrificing security.

DNSSEC is a gateway to all sorts of exciting technologies, but these possibilities can only be realized if many firms embrace its role in security. By utilizing DNSSEC, companies will no longer have to choose whether the internet should run safely or dynamically. The resulting security and reliable connectivity are necessary prerequisites for the kind of exciting, intellectually thriving internet that we should all hope will come to pass.

Avatar photo

Shane Kerr

Shane Kerr is a DNS software developer at NS1. He’s held multiple technical leadership positions at ISC, Dyn, Oracle Cloud and BII. Shane joined ISC and added DHCPv6 support to the ISC DHCP server and built the software for Dyn’s Hivecast system. Shane was the Chief Architect at BII Labs responsible for researching alternate models for DNS root server deployment, DNS standards and open source DNS software development. He was also a Principal Software Developer for DNS at Oracle Cloud Infrastructure. Shane served as a RIPE IPv6 and DNS working group co-chair for several years and was on the RIPE Programme Committee. He has also served on the DNS OARC program committee and the PeeringDB product committee.

shane-kerr has 1 posts and counting.See all posts by shane-kerr