The Domain Name System (DNS) plays a very important role in the Internet infrastructure. It serves as the phone book for the Internet by translating human-friendly domain names into numeric IP addresses required for networking devices to address and locate each other on the Internet.
For instance, the domain name www.example.com translates to numerical addresses 126.96.36.199 (IPv4) and 2620:0:2d0:200::10 (IPv6). This makes it easy for the public to use the Internet.
The DNS system was, however, not designed with security in mind; emphasis was placed on resilience and scalability. As the Internet continues to evolve, DNS has become vulnerable to all sorts of attacks, which impact its availability and integrity.
The cache of a DNS resolver can be “poisoned” with falsified information. As a result, e-mails can be rerouted, voice over IP calls can be tapped by third parties, users may end up on phishing sites instead of their online banking site etc.
These vulnerabilities have led to the development of Domain Name System Security Extensions (DNSSEC), a suite of Internet Engineering Task Force (IETF) specifications for securing information provided by the DNS.
DNSSEC provides the ability to validate the authenticity and integrity of DNS messages. In other words, it provides a mechanism for detecting falsified DNS information.
DNSSEC was first deployed at the Internet’s authoritative root zone in July 2010. This is expected to facilitate greater DNSSEC deployment throughout the Internet.
Even though DNSSEC is being introduced at the infrastructure level, end users will not yet benefit fully from it because most pieces of user-level software such as operating systems, web browsers, e-mail servers, and VoIP clients are currently not DNSSEC compliant.
To speed up the introduction of DNSSEC, the Netherlands-based charity NLnet Foundation has created a global fund where open source projects can apply for grants to work on DNSSEC in their Internet applications.