ICANN: We Need DNSSEC Everywhere to Combat Hackers

ICANN: We Need DNSSEC Everywhere to Combat Hackers

ICANN has called on Domain Name System (DNS) stakeholders to urgently improve security across all domains to combat a growing threat from attackers.

It wants DNS Security Extensions (DNSSEC) to be rolled out worldwide across all unsecured domain names in response to a wave of new DNS hijacking attacks blamed on Iran.

In these attacks, the hackers used compromised credentials or other means to gain unauthorized access to registrars and other infrastructure providers. They then changed DNS records, replacing the addresses of intended servers with those of machines controlled by the attackers, diverting unwitting netizens.

“This particular type of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally 'signing' data to assure its validity,” explained ICANN. “Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.”

The internet oversight body said it wants all members of the DNS ecosystem to work together more closely “to produce better tools and policies to secure the DNS and other critical operations of the internet.”

Although DNSSEC was first deployed in 2010, it has failed to take off, with less than 20% of the world having adopted the specifications, according to APNIC. The APAC regional internet address registry claimed in a blog post in 2017 that, while nearly all registrars are technically compliant, virtually none offer support for creating, maintaining and signing DNSSEC keys and records.

“For DNSSEC to work, the top-level domains need to be signed, and the registrars also need to support signing of DNSSEC keys,” it added. “The security must flow down from the root keys in an unbroken chain to the record sets and hosts listed for a domain; any break in continuity and the DNS records cannot be validated.”

Source: Information Security Magazine