InternetNZ studies potential DNS attack cure

Digital signatures on DNS root zone could introduce new vulnerabilities

New Zealand’s domain name system is unlikely to be protected by digital signatures in the near future, despite moves in the US and elsewhere to implement protocols to make this happen.

InternetNZ’s executive director, Keith Davidson, says New Zealand is moving towards introducing the protections, called domain name and addressing system security extensions (DNSSEC). However, he says the technology is not yet stable or usable.

Davidson says implementing DNSSEC would allow people to come inside the DNS zone and introduce the possibility they could move up and down the file in what he calls a “dictionary-type attack”.

“If someone went ot, for example, as part of signing, the root will also give the record before and the record after,” he says.

This could enable them to move from one record to another.

The root zone is the master list of where computers can go to look up an address in a particular domain such as “.com”. The DNS translates website names into an internet Protocol address to find a website.

However, several security problems within the DNS make it possible for hackers to supply a different IP address to launch a phishing attack. The most serious of these DNS vulnerabilities was revealed in July by security researcher Dan Kaminsky.

Nearly all DNS software is vulnerable to the attack.

Davidson says InternetNZ, which manages New Zealand’s address system, is watching developments in Sweden which implemented DNSSEC early and is fixing its flaws.

“Sweden is the test case we are all watching,” he says.

Davidson says DNSSEC only becomes really useful when the actual root of the internet, managed by IANA, is signed as well.

“Is it wanted and are people willing to pay for it?” he asks, adding that a process for users to lock their own key will be required.

Davidson says once deployment starts it is relatively straightforward, but that could be a year or more away.

Some top level domains, such as or the new banking address, might want to move earlier on digital signatures, he says.

“It may come in through people who most want to be trusted.”

To get the full benefits of DNSSEC, domain name registrars, domain name registries, internet service providers and others to upgrade their software.

Users’ systems would also have to be configured to verify their digital signatures.

— Additional reporting by Jeremy Kirk

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags DNSSECinternetnzNetworking & Telecomms ID

Show Comments