April 7, 2005

DNSSEC - Will It Create A New Vulnerability?

I see that ICANN's so-called security committee has decided to move forward with deployment of DNS Security (DNSSEC [beware - may take a long time to reach if you don't have IPv6 connectivity]) in the legacy set of root servers. That's probably a good idea.

However, I have concern that DNSSEC will then be uncritically adopted by the big (and frequently changing) zones - .com, .net, .de, .ewe... without answering the following question:

How long will it take to do a cold restart of a name server if it has to load a large (e.g. .com sized) signed zone?

It has long been public knowledge that a sucessful attack on TLD servers will have a larger impact than a sucessful attack on root servers.

In many emergency situations the most pressing need is for fast recovery of communications services.

So the question is this: How long would it take to recover a large DNSSEC signed zone (e.g. .com) should its servers be compromised and have to reloaded afresh?

If the time is large then the effects of a sucessful attack on a signed TLD would be exacerbated by the extended time to recover.

Posted by karl at April 7, 2005 9:32 AM