Networking: DNSSEC


LSU DNSSEC:  DNS Security Extensions

What is DNSSEC?

In short: A secure domain name resolution system.

The Domain Name System (DNS) was not designed with security in mind.  Many Internet protocols have changed from their original design to accommodate changes needed for protection against the not-so-honest script junkies out in the world today.  Many protocols, that is, excluding the DNS.  We all rely on the DNS for the most basic of services and functionality and, for the most part, it has remained safe from the brunt of mass attacks.  But when the focus changes to this vulnerable system, the world notices.  Some time ago, 15 years now, plans started in the hopes of adding security to this vital protocol: introducing DNSSEC.

DNSSEC (DNS Security Extension) is an addition to the original DNS protocol rather than a complete rewrite.  It has three main purposes: prove origin of authenticity; provide authenticated denial of existence; and ensure data integrity.  What it does not provide is confidentiality, since the purpose of the DNS is to provide answers rather than obscurity.  

The extension introduces public key cryptography to all requests ensuring only verified responses are handed to clients.   This basically means that when you type "www.lsu.edu" into your address bar to register for classes and pay your fee bill, you will know without a doubt that you are visiting our website and were not caught by a cache poisoning scheme designed to steal your personal information or credit card information.

Many articles and how-to's can be found on the Internet for the explanation, history, and execution of DNSSEC.  A particularly good one can be found at Verisign's site.  Verisign has been decidedly involved with DNSSEC rollout.  They partnered with EDUCAUSE, who is, among other things, the registrar of the top-level domain .edu, to conduct a testbed for DNSSEC.  LSU participated and contributed to the testbed in 2009.
 

What does this mean for LSU?

In short: Longer name change turn-around.

In order to ready our campus for DNSSEC implementation, some small yet important infrastructure changes will be required.  Due to these changes, modifications to names will no longer be instantaneous.

The DNS servers can not be authoritative AND validating at the same time.  We must now introduce new recursive servers that only answer your queries and validate those queries while the current servers will remain as authoritative only.

These new recursive servers introduce a lag time for name changes within our system.  We make changes to our authoritative name servers.  The recursive, validating servers will only look for changes upon expiration of the TTL.  The default TTL for LSU is 24 hours.  In emergency situations, we can "push" out changes.  Otherwise, planned name changes will protect you from service outages.
 

What should I expect as an end-user?
In short: Peace of mind.


Once deployed, you will know with certainty that your personal information is not being collected by a hacker pretending to be the LSU Office of Bursar Operations.

Most of the work done in regards to DNSSEC has been focused on the server side.  Not much has been done on the client side: no alerts, no flags, no golden lock.  

Firefox, one popular web browser, has developed an add-on to illustrate DNSSEC validation much like the familiar SSL certificate icon found in the bottom corner of the window.  Now that DNSSEC is gaining speed and recognition, the assumption is that development will quickly begin to close this gap.  Until this happens, however, you will simply get a "Page Not Found" error message when browsing to a site that failed DNSSEC validation.

While the end-user applications catch up to the technology, rest assured that any authoritative information issued out by LSU's name servers is the correct information.

14500
3/22/2024 3:36:28 PM