A lot of problems on the internet today are as old as the internet itself. Some deficiencies were there from the beginning, and it has been difficult or inconvenient to implement change to beef up security.
With all that has happened lately, many larger entities have said “Enough”, and so changes will be rolled out in the first half of this year. No extensions, no more waiting.
DNS hijacking and poisoning has been around since the dawn of time — it just didn’t enter the popular media until recent high-profile attacks on Twitter, Baidu, and the success of China’s Golden Shield Project. Basically, DNS in its current form is incredibly insecure when compared to corporate infrastructure. With DNS hacks it’s very easy to set up pharming (think ‘farming’ combined with ‘phishing’) where a popular site is redirected to a rogue server. Why infiltrate a heavily-encrypted corporate network when you can simply poison a DNS server?
That’s all about to change with DNSSEC. Between now and May 2010, DNS Security Extensions will be rolled out to the root servers. From there, it’s expected that lower branches of the DNS system will quickly adopt the same security protocols.
In essence, these changes add a new layer of encryption and verification to all changes made to DNS records. When the client requests the IP address of an alphanumeric address, encryption keys are exchanged and the result verified. In theory, the system will probably sacrifice a little speed, but the slowdown will probably be negligible.
Most people will not complain though there might be slowing. Knowing your request will be processed properly will give you something to think about in the split-second difference.
The sad thing is that this will not be the end of it; it merely starts the process for the next revision of hacking.
Imagine that you were looking for a plumber and got this… you could be a victim, but soon no longer.