IT Brief UK - Technology news for CIOs & IT decision-makers
Story image
DNSSEC is becoming the key to a more User-Friendly Future
Tue, 14th Feb 2023
FYI, this story is more than a year old

Over the next few years, internet connectivity is likely to change, and the outcome will lead to two divergent futures. The first possibility is that it will be monopolised by a handful of providers, and costs for users will skyrocket. The second is that it will evolve into a vibrant ecosystem that is better positioned to encourage innovation. 

When it does diverge, the second of these scenarios will offer a positive outcome for consumers and enterprises, but ensuring that happens means improving security so that all users can connect to each other safely. An important key to making this happen lies in the Domain Name System (DNS) technology that is the underlying foundation for all online activity and, specifically, modern DNS Security Extensions (DNSSEC).      

There are reasons why the internet landscape is changing, but it’s important to understand that former challenges associated with DNSSEC are being resolved, making this technology vital for the future.

Looking ahead at Internet Connectivity

As more and more of our lives have been digitalised, the internet and how it is run has changed. Where once there was a wide choice of internet service providers and content delivery networks, now there are just a few managing a substantial portion of online connectivity. While users have benefited from the simplicity of setting up a secure, encrypted connection with a known entity, which itself can establish secure connections with other large organisations, the dominance of these companies has come with higher costs. Without healthy competition, the market is at the mercy of whatever pricing a provider sets and innovation has stagnated. More companies employing more creative brains results in fresh ideas, and this is much more likely if the ecosystem is not dominated by a few large players. What we should want instead are vibrant organisations, open-source projects and non-profits that can develop a stream of new and exciting technologies.      

The role of DNSSEC      

DNS underpins the internet enabling the connection of IT infrastructure, applications, and online services, but because of this, it is frequently attacked by bad actors. It is also a traditional technology that was not created with security in mind. Unfortunately, DNS requests can be intercepted, and the sender is unable to verify whether the IP addresses and other information that they receive are legitimate or if they will divert them to a malicious site. This vulnerability has meant that applications can disappear from the internet, and domain names can be hijacked to launch phishing attacks.       

This weakness has led to the development of DNSSEC. It works by using cryptographically signed DNS records to give the initial sender of the DNS query the reassurance that the returned IP address did, in fact, come from the intended target. While it is valuable, adoption has been slow for a variety of reasons.     

Breaking Down Barriers to DNSSEC Adoption

Organisations rely on DNS to dynamically steer traffic, allowing for fluctuations in infrastructure uptime so that users can be sent to the servers best equipped to manage more traffic. The most common form of DNSSEC is offline signing, which is unfortunate because it completes the cryptographic signing process before a DNS request comes in, making it incompatible with modern forms of traffic steering, which demand context-driven real-time DNS responses. In addition, DNSSEC has in the past been unable to reconcile advanced, non-standardised DNS technology from multiple vendors. These deficiencies have compelled providers to select either DNSSEC or traffic steering across multiple DNS providers — and many have ultimately prioritised functionality and flexibility over DNSSEC. 

As and when the internet becomes more diverse, we can expect entities to field DNS traffic that we shouldn’t automatically trust. The good news, however, is that many of the common barriers to DNSSEC are now easier to manage. Modern DNSSEC providers have devised methods to sign DNS responses “on the fly” to fully support real-time traffic steering. Providers are also embracing an emerging ‘multi-signer DNSSEC’ open standard from the Internet Engineering Task Force that can support multiple DNS providers without compromising DNSSEC. The great benefit of this is that it allows a wider range of companies to play a fundamental role in internet connectivity without sacrificing security. 

DNSSEC opens the door to many innovative technologies if companies are committed to embracing its role in security. By utilising DNSSEC, firms will be able to rely on an Internet that runs both safely and dynamically without having to choose one or the other. This is the kind of healthy Internet environment we should be aiming for.