NIST Aids Enhancement of the Security and Stability of the Internet’s Domain Name System

On July 15, 2010, two Department of Commerce Agencies—the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA)—announced the completion of a major initiative to enhance the stability and security of the Internet.

The announcement marks full deployment of a security technology—Domain Name System Security Extensions (DNSSEC)—at the Internet’s authoritative root zone. The accomplishment will help protect Internet users against phishing and other types of cyber attacks. The Domain Name System (DNS) is akin to a global address book for the Internet. The authoritative root zone of the DNS is at the top level with links to addresses in lower-level books for individual countries (e.g., .us) and affinity groups (e.g., .edu).

“Improving the trustworthiness, robustness and scaling of the Internet’s core infrastructure is an activity that lines up strongly with NIST's mission, and we have been contributing to design, standardization and deployment of DNSSEC technology for several years,” said NIST Director Patrick Gallagher. “The deployment of DNSSEC at the root zone is the linchpin to facilitating its deployment throughout the world and enabling the current domain-name system to evolve into a significant new trust infrastructure for the Internet.”

The DNS is a critical component of the Internet infrastructure. “Every instance of communication over the Internet relies on the DNS to translate user-friendly domain names (e.g., www.nist.gov) into Internet Protocol address (e.g., 129.6.13.45) necessary to route data to its destination, says Doug Montgomery, manager of NIST’s Internet and Scalable Systems Metrology Group.

“DNSSEC enables clients to cryptographically verify that each such translation is provided by a server with the authority to do so, and that the translation response from the server was not modified before reaching the client,” Montgomery said. “Without DNSSEC, it is relatively easy for third parties to purposefully manipulate DNS translations services— so as to redirect traffic or forge sites.”

DNS data authenticity is essential to Internet use. For example, it helps to ensure that Internet users are not unknowingly redirected to bogus and malicious websites.

The DNS was not designed with strong security mechanisms. Technological advances have made it easier to exploit vulnerabilities in the DNS protocol, putting DNS data at risk. Deploying DNSSEC, which is a suite of Internet Engineering Task Force (IETF) specifications for securing information provided by the DNS, mitigates these vulnerabilities.

A main benefit of installing DNSSEC at the root zone is to facilitate greater DNSSEC deployment throughout the rest of the global DNS hierarchy.