In recognition of the serious concerns with vulnerability of the DNS system as a whole Rod Beckstrom (ICANN’s CEO) chaired the panel himself with virtually all 1,200 or so ICANN meeting attendees present. Also on the panel was Whit Diffie; one of the fathers of public key encryption, Paul Mockapetris designer of the original DNS, Steve Crocker chairman of the Security and Stability Advisory Committee of ICANN, and Dan Kaminsky famous for unearthing the exploitation of DNS.

Primarily this session centered on DNSSEC (short for DNS Security Extensions), which is intended to add security to the Domain Name System. DNSSEC was designed to protect the Internet from certain attacks, such

as DNS cache poisoning. It is a set of extensions to DNS, which provide:

1. Authentication of DNS data,

2. Data integrity

3. Authenticated denial of existence

These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.

It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD). In order to support the larger DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671).

Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit (RFC 3225) so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server.

DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the Domain Name System, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.

Of all the discussions Steve Crocker explained there are two very broad classes of threats.

“One is that the information is going to be modified or corrupted.  And the other is that the systems are going to be made unavailable by denial of service attacks.  So if you take those two pairs and, you know, all the combinations, DNSSEC closes big holes in one-quarter of that space, that is, it protects the information during the lookup side. It does not do anything to protect the information about being put in.”

“If incorrect information is put into the system or is modified at registration, then you're in trouble.  And in either case, if the registration side or the lookup side is attacked from a denial of service attack or taken down in some other way, DNSSEC doesn't help at all.“

So basically DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against DDoS Attacks.

As the panel and contributors added, that one of the things that we're seeing a lot of is corruption of information at the registration side, everything from stealing, hijacking of domain registrations, to modifications in the databases and so forth.

There are a remarkable number of organizations that are responsible for the correctness of the information.  You have registries, you have registrars.  Every one of the top-level domains is run by a different organization.  And then you have a hierarchy of registrars and their subordinate organizations, resellers and so forth.

As is common in any kind of system that involves that many different organizations, there's quite a variation in the quality of those operations, and there's also pecuniary motives that lead some of these organizations to look for ways to enhance their revenue, perhaps not always to the advantage of the people that they're supposedly trying to serve, that is, their registrants.

So it's important to raise the standards, shine quite a strong light on those class of operations, and try gradually to improve the standards not so much in a formal technical sense, but the standards of conduct, if you will, and the quality in the marketplace so that it becomes a trusted marketplace rather than one that is inherently distrusted.

So basically DNSSEC  does provide greater security for knowing the domain you type in is the real one, but it does not provide confidentiality of data. Furthemore, DNSSEC does not protect against DDoS Attacks.

By Jart Armin, reporting from ICANN's 38th International Meeting, Brussels