Domain Name System Security Extensions (DNSSEC)

Principle of protection of DNS

The method of the digital signature of replies to the requests is the cornerstone of the DNSSEC protocol. The administrator of the domain zone supporting this technology has a private key which using cryptographic algorithms allows to generate the digital signature. Clients, in turn, receive the public key corresponding to closed. The client key gives the chance to check validity of the digital signature. There is a reasonable question: how it turns out so that the public key allows to verify authenticity of the signature, but does not give the chance to generate it? Of course, there is no strict theoretical prohibition, but such task will be difficult for as much as difficult keys. In other words, it is possible to open a key, but at modern development of technologies the quantity of computing resources, unavailable in practice, for this purpose will be required.

Thus, it is visible that theoretically protection of DNS can be cracked, however, as well as any other, but practically it is not achievable yet. It should be noted however that DNSSEC complicates work to hackers, but does not give 100% of protection as technologies of malefactors do not stand still too. Nevertheless, according to experts, the system of protection can help against such viruses as, for example, Kido which in 2008 - 2009 suited the most this epidemic.

Use in the world

At the moment the DNSSEC system is already used in Switzerland and Bulgaria. In plans to extend its action and to other zones including on .ru, .su and recently appeared .rf. Approximately it will occur at the end of 2011. In January, 2010 deployment of the new protocol in 13 root servers began, and today this process is complete. Meanwhile the procedure of signing of root zones has test character.

Besides, process of implementation of DNSSEC requires the considerable financial investments. Support of this protocol requires replacement program and the hardware both on server, and on client the parties. According to RBC daily, the digit which transition to DNSSEC in Russia will cost can make 100 million dollars.

DNSSEC and load of network

You should not forget also that implementation of the new protocol will increase the volume of transmitted data, and almost twice. So, for example, at a request of the list of the servers servicing the zone .ru not 257 bytes, but 440 in reply will come. The difference is notable. And if packet sizes exceed 512 bytes, then there can be problems with its acceptance. Of course, this problem has a solution. If the client computer is not able to accept packets more than 512 bytes, the server as much as possible squeezes them. However compression is not boundless and if after it packet size still big, then the client automatically switches from the transport protocol UDP in TCP in which there are no similar restrictions.

There can be also other situations which will lead to resendings of packets between the client and the server that will increase load of infrastructure. Besides, additional load of the equipment will be rendered by process of generation and verification of digital signatures.

"Creation of the digital signature requires additional computing resources of the DNS server signing the message and the client checking the signature. As the EDS increases information volume, use of the UDP protocol becomes risky in terms of reliability of data transmission as in some network segments fragmentation of big packets can not be supported, and DNSSEC on the basis of this protocol will not be simple to work. Therefore DNSSEC is focused on use of TCP that can increase load of some nodes playing a role of gateways", – Vitaly Kamlyuk, the leading anti-virus expert of Kaspersky Lab notices.

Thus, it is possible to make the conclusion that though global protection against the attacks on DNS servers is developed, but, unfortunately, it is not ideal. However, process of improvement of DNSSEC in particular and cryptographic protection in general is still not complete.