Real Progress for DNS Security
28 January 2004 -- Internet Systems Consortium, Inc. (ISC) together with NL.net Labs and the RIPE NCC sponsored a workshop last week resulting in real progress on the long awaited DNS Security standards.
"The goal of this workshop was to test if the Internet drafts were complete enough to base interoperable implementations on that can be deployed outside test labs," stated Olaf Kolkman, Scientific Programmer at the RIPE NCC. The Internet drafts have recently moved to "last call" status as they make their way through the formal process of the IETF, the standards body responsible for defining global Internet protocols and policies.
The Domain Name System (DNS) translates domain names in email and web addresses, such as isc.org, into IP addresses. As such it enables the functioning of email, the web, and other Internet services. It has become increasingly critical as the Internet has grown. However, security for the DNS has not kept pace with its importance, leaving nameservers vulnerable to a number of attacks that can cripple the ability of a nameserver to provide data, or allow an attacker to provide false data. Domain Name System Security, 'DNSSEC' in the technical community, is a major step toward addressing these shortcomings and reducing the threat to private and public nameservers on the Internet.
Suzanne Woolf, Software Engineering Manager at ISC, commented, "We were pleased to be able to co-sponsor an event that moves DNSSEC a step closer to becoming a reality. ISC will have a version of BIND that supports DNSSEC ready concurrent with the final release of the standard." BIND, and its derivatives, is the most popular software implementation of the DNS protocol running on over 75% of the nameservers on the Internet.
Interoperability is key to the success of any standard. Workshop co-sponsor NL.net Labs spokesperson, Ted Lindgreen stated, "Real progress was made. We were able to test DNSSEC on different software implementations of the protocol, our own NSD and ISC's BIND. Collaboration is the key." NSD is in use by two root servers and several ccTLDs.
RIPE NCC, the Regional Internet Registry serving Europe, the Middle East, Central Asia and Northern Africa, was the third co-sponsor of the workshop. Olaf Kolkman, workshop attendee and spokesperson for the RIPE NCC added, "DNSSEC is a technology that will secure one of the Internet's core protocols which, when deployed, will make the Internet a more secure place for businesses and individuals. From that perspective, we have an interest in moving the process along."
While DNSSEC will not become an official, documented Internet standard until it completes the protocol cycle through the IETF, this workshop and collaborative efforts of all who attended moves the process along significantly.