Out of ICANN: ‘barrier’ now spelled ‘dnssec’

While more was made out of the domains in non-Latin characters announcement, there is actually another item which wasn’t covered nearly as much as it should have been. Basically, it’s the fact that DNSSEC is going to be deployed in January. In short, ‘DNS’ is the system that translates domain.com in to a numerical address on the internet where the server for that alphanumeric domain name resides. The ‘SEC’ part of it is a secure extension being added on in order to digitally sign these names and provide a level of security to know that the names we type in are indeed being pointed correctly.
This is something we’ve needed for some time. Much like email, DNS was built with little security in mind as the initial systems were created for a small, clustered group of people to use in government and education institutions. Once the sweaty masses got our hands on these systems, spam, phishing, and any number of other nefarious elements came about.
It’s just unfortunate in how this system is being both implemented and released. For starters, it is being released in January, before the release of the non-Latin character domains. So, what happens if this system blows up? The extended character domain release is obviously going to be delayed. Is it going to blow up? Probably to a certain degree. The obstacles to making it work well are all possible to overcome, but it’s going to be an immense strain on our DNS network for the following reasons:
– Additional communication between servers to authenticate and distribute the keys
– Additional data needed to be stored in the root servers for the millions of domains in existence
– Additional bandwidth needed for lookups.
Rebecca Wanjiku picked up on this last element in an article she published recently. It’s a definite concern. Just like how all this cloud business is going to create new barriers for participation in low bandwidth areas of Africa, so too will DNSSEC. A basic zone file is a minimum of 512 bytes or half a kilobyte. I have yet to find any hard data on the size of the digital keys, but it’s going to increase the size of these lookups a great deal. Let’s just say that they’re using a 128 alphanumeric key. That requires an extra kilobyte of transport space thus making a secured, DNSSEC request 1.5kb. For those on broadband, this is nothing. For those on anything less, this is crippling as it needs to be made for every new domain request. If you’re on the equivalent of a dialup connection running at 56kbs, you get 7kb of bandwidth, meaning that DNS requests are going to hog up 21% of your available bandwidth! In addition to this, there are two more pings to the DNS server in order for the authentication process to function which means if you have a connection with high latency, you’re also going to be hurting.
I have to admit that it’s been awhile since I’ve done straight IT work and had to deal with the math involved in making DNS and all that work, so if anyone has any hard data and wants to gently (or forcefully) correct me on what I’m guestimating, please do. I would very much love to be shown the light, especially if it drives the numbers quite far one way or the other from what I’ve tallied up.

Funny, does this payoff smells like Redmond?

Now, while some security on the internet has to happen at some point, why does it have to happen now? Why can’t it wait another two years for more broadband deployment to make this so, so much less of an issue? I’m going to put on my conspiracy hat for a minute (yes, it’s made of tinfoil.) There’s something interesting that people haven’t linked up just yet. Windows 7 has just been released. That’s not really news at this point, but what is news is the fact that Windows 7 has been built to take advantage of DNSSEC out of the box. This is being celebrated as something great and it most definitely is as Windows has been a notoriously insecure operating system for a long time.
But here’s the thing. A lot of people will undoubtedly upgrade to Windows 7 through the end of this year as they buy new computers. Again, not a big deal as this is a pretty regular thing. But it just happens that DNSSEC is going to be thoroughly deployed on the 20 root nameservers around the world in January. In January, Apple has its MacExpo to show off new products. As far as I’ve read, DNSSEC is not a core part of OS X or OS X Server and as time goes on, this secure DNS is going to become quite important in securing the internet. Wouldn’t it take a great deal of wind out Apple’s “I’m a Mac and I’m a PC” campaign if suddenly Windows had the edge in security? Yes, yes it would.
So, am I saying that it’s possible for Microsoft to have “pushed” some folks at ICANN to release DNSSEC at this specific time to bring back in to the fold, those who have strayed from the Microsoft flock? Yes, yes I am, because honestly, I have a very hard time trusting ICANN as despite the US relaxing it’s oversight lately, it still is a US institution with not nearly the amount of transparency needed for a group that controls access to the sum of our digital knowledge.

A “fix” maybe?

It wouldn’t be surprising for Microsoft to put marketing ahead of its potential users in low bandwidth regions like Sub-Saharan Africa, which is why Google is going to thrash them as the internet is more and more available. But the one singular thing that could make all of this a great deal better would be to offer the option not to use DNSSEC and just use standard DNS. Something along the lines of an option button in the Security Center next to, “Thanks, I’ll monitor my DNS queries myself.” Or better yet, have a system that is able to detect your bandwidth and adjust things such as this accordingly. And there you go, what could be a potential barrier to countless millions, sidestepped for the time being until bandwidth is more available.