ICANN urges adoption of DNSSEC

[justpoet]

I would've thought this would already have been noted, so this is a few days late, but, here you go.

 

TLDR: ICANN is the organization in charge of all of DNS and the domain name system.  About 10 years ago, they came up with the DNSSEC standard, which in short signs DNS to make it verifiable and trustable via registered encryption keys.  Unfortunately, only about 20% of sites ever implemented it.  Recent hacks and site takeovers/spoofs have been working by targeting DNS and its lack of verifiability.  ICANN is using this, and the recent US government call for upgrading their websites' security, as a reason to call for the full move to DNSSEC of all.  If you are in charge of a website/domain name, or know somebody who is, please urge them to move to DNSSEC.

 

Official ICANN link

https://www.icann.org/news/announcement-2019-02-22-en

 

Some various links to other stories about this:

https://www.networkworld.com/article/3343185/icann-urges-adopting-dnssec-now.html

https://www.infosecurity-magazine.com/news/icann-we-need-dnssec-everywhere-1/

https://www.securitynewspaper.com/2019/02/26/icann-suggests-implementing-dnssec-technology-immediately/

https://www.dailyhostnews.com/icann-dnssec-across-all-domains

 

Quotes from various articles and official announcement:

Quote

Several malicious activities are increasingly targeting the DNS infrastructure. In response to such activities, ICANN has called for full deployment of DNSSEC (DNS Security Extensions) across all the unsecure domain names.

Quote

In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.

Quote

To be specific, what ICANN proposes is to perform a complete implementation of the DNS Security Extensions (DNSSEC) on all unsecured domain names. The DNS system is the part of the Internet infrastructure worldwide that is responsible for moving the names of sites in common language to IP addresses needed to access websites, use email platforms, etc. DNSSEC would try to implement a new security layer for DNS.

DNSSEC technologies have existed for almost 10 years, although they are not yet widely used. According to network security specialists, less than 20% of DNS registrars worldwide have implemented this technology. It is believed that the adoption of DNSSEC has been delayed because it could reduce functionality in favor of improving security measures, and that DNSSEC was always considered an option, not as a security requirement.

Quote

According to ICANN, the total implementation of DNSSEC technology ensures that end users access legitimate online websites and services. “While this is not a solution to all Internet security issues, DNSSEC would provide additional protection to a critical sector,” adds ICANN.

Quote

“Some recent cyberattacks have focused on DNS; hackers make some changes to the domain name structure without authorization, so you can perform various malicious activities. DNSSEC technology is fully functional against this type of attack,” says ICANN.

 

Official Info about DNSSEC

https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en

 

One example of what this would prevent that's been in the news lately:

https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/

 

In short, they would spoof DNS to redirect automatic certificate change checks, and take over the TLS/SSL certificates, making the fake site look 100% legit and encrypted with the official certificate.

[Slayerking92]

You can check if your DNS is ready for the dns changes here.  DNS Flag day was Feb. 1 2019.

 

https://dnsflagday.net/

 

[kuhnertdm]

Kind of an important note: This is a different use case than the "DNS over TLS/SSL" stuff that has been in the news recently with things like Cloudflare's implementation with 1.1.1.1. This is less of "Make sure that no one can see what DNS entries you are looking up" and more of "Make sure that the results you get from DNS aren't being tampered with by someone between you and the DNS server".

[williamcll]

Would it be possible to put dnssec as part of everyday linux updates?

[LAwLz]

On 3/1/2019 at 12:17 PM, williamcll said:

Would it be possible to put dnssec as part of everyday linux updates?

Depends On what you mean by "everyday Linux updates". DNSSEC is something that needs to be enabled on the DNS servers, and it requires some configuration. It's not really something you can push out in an update and it will be enabled.