Thales and Infoblox Address Weak DNSSEC Demand

Information systems and communications security vendor Thales has integrated its nShield hardware security module (HSM) with the Infoblox DNS platform to provide customers with simple deployment of Domain Name System Security Extensions (DNSSEC), a security protocol designed to protect the Internet from attacks like cache poisoning.

Adoption of DNSSEC within the enterprise has been slow, and according to Cricket Liu, VP of architecture at Infoblox, enterprises have run out of excuses to adopt the technology. The threats DNSSEC protects enterprises from are very real and getting worse. Liu says now is the time for enterprises to start deploying DNSSEC, which is where Infoblox and the Thales nShield integration can help.

"The threat of cache poisoning is very real. We've seen cache poisoning attacks out on the Internet. The consequences are very serious," Liu says. Cache poisoning (also known as DNS poisoning) is a form of attack that corrupts a domain's DNS and replaces it with another DNS, pointing potential victims to a site that looks very much like the one they're trying to reach but that has malicious ends in mind.

DNSSEC has been gathering momentum fast, but it's on such a small base that adoption is still almost non-existent. According to the sixth annual survey of the DNS infrastructure, adoption soared 340% last year. However, the number of zones that have been DNSSEC-signed is only 0.02%, and almost a quarter of them, 23%, failed validation due to expired signatures.

For a long time, businesses of all sizes have been waiting for top-level zones and root zones to deploy DNSSEC. Since the technology works only with a top-down deployment approach (starting with top-level domains such as .com, .net and .org), there was no sense in an enterprise deploying it except for internal use, says Richard Moulds, VP of product management and strategy at Thales e-Security.

"Virtually all of the top-level domains have stepped up to use DNSSEC," Moulds says.

DNSSEC has moved down the stack and is now starting to see early adoption by ISPs. ISP Comcast announced the completion of its DNSSEC deployment in early January. As the largest ISP in the United States, its adoption of DNSSEC sets a precedent that others are sure to follow, Liu says. He compares Comcast's adoption of DNSSEC to GoDaddy's full deployment of IPv6 in 2010, which caused the adoption rate of Ipv6 to explode from 1.5% to 25% of the market in a single year.

Uptake in the enterprise has been incremental so far, and some businesses (particularly those with websites that process financial transactions and those that fall under various regulatory and compliance requirements) are starting to take notice of DNSSEC. Depending on the type of business and the function of the individual enterprise's website, interest in DNSSEC can be high or low.

There are still a few hurdles to overcome in the deployment of DNSSEC, but some of them are more easily dealt with than others. For instance, not every domain name registrar yet supports DNSSEC, but Liu notes it's a simple process to move a domain name from one registrar to another. In time, support for DNSSEC could be a competitive advantage in the domain name registrar business, he believes.

As enterprises do begin to adopt DNSSEC, which Liu expects to happen more frequently this year, they will look for the easiest way to deploy it. Although IT administrators could do all the work manually, companies like Infoblox present an automated solution to the configuration problem.

When Infoblox systems are used with Thales nShield HSM, customers achieve the benefits of having all cryptographic processing and protection of critically important signing keys for validation of the integrity of DNSSEC-protected records, which Moulds says significantly reduces cache poisoning vulnerability.

"This is a big step that the Internet community has taken to strengthen DNS, which is one of the weakest elements of Internet security," Moulds says.

Learn more about Research: Physical and Logical Security Convergence by subscribing to Network Computing Pro Reports (free, registration required).