Lock up your servers and run for the hills for DNSSEC is coming.

DNSSEC is, simply, DNS Security (“shouldn’t that be DNSSec then?” “shut up”), security for the Domain Name System.

Domain Name System? Whazat?

DNS is one of the underpinning internet protocols that allows you to access donkey pron and lolcats when you are pretending to be working.

Every machine on t’internet has a thing called an Internet Protocol (IP) address. This is a special number representing your specific connection to t’internet (you may well have seen one of these, they are usually represented in dotted quad form e.g.

When you try and access an internet address such as http://www.donkeylols.com the first thing your computer does is look up the host http://www.donkeylols.com via DNS and turn it into an IP address.

It then contacts this IP address and requests the page you have asked for. Simple.

Well, maybe not.

What actually happens (and this is an over-simplified example) is that the DNS lookup is actually a recursive process.

In the first instance we need to know who actually runs donkeylols.com and therefore who can give us the IP address for it.

The Root Zone

This is where the root zone comes in. It is effectively the internet zone above all others, sometimes referred to as “.”.

The root zone is served by a set of root servers which are located all around the world and use anycast to get a response from the nearest (quickest) server.

So the process to resolve donkeylols.com would probably break down as follows:

  • Ask a root server who is responsible for .com
  • Ask the .com server who is responsible for donkeylols.com
  • Ask the donkeylols.com server for the IP address of http://www.donkeylols.com


Security and the Like

DNS is an old-school protocol from the earliest days of t’internet and subject to a number of potential security issues.

The most pressing one is DNS Spoofing. This is where a nasty third-party responds to your DNS queries pretending to have the right answer which your computer trusts and connects to.

In this way I could redirect requests to donkeylols.com to my offshore hosted Rick Astley Appreciation site thus Rick Rolling you (or I could just be less nasty and direct you to a malware or phishing site).

By signing the root zone you can be (fairly) sure the answers you’re receiving are the correct ones and you will therefore be accessing the legit face of donkeylols.com.

There are other potential benefits such as opportunistic encryption which might also at least give t’internet the appearance of being a safer place for a little while.

How Does This Affect You (The Reader)?

It doesn’t really, it will all happen behind the scenes in dark rooms filled with flashing terminal sessions.

It’s just one less excuse when it turns out you’re given your credit card details over to a site specialising in gender reassignment operations.

How Does It Affect Me (Dave)?

Good question and I’m glad you asked. Well… it only really affects me if the lower zones (the types of zone I am responsible for the DNS admin of) decide to jump aboard the good ship DNSSEC.

At that point I will probably have to start generating some keys and maybe reading a HOW-TO or three. Maybe even upgrading BIND from the 1983 vintage I use (I fear change).

Oh and I suppose I’ll eventually have to account for it and verification in my PHP DNS implementation.


Tags: , , , ,

%d bloggers like this: