DNSSEC Best for the Internet in the Long Run

I recall a year ago when, as a new CEO, I attended some industry events and first brought up the topic of DNSSEC in the .ORG zone. At that time, DNSSEC wasn’t as understood as now (notice I did not say it is now well understood), and there were major opponents to DNSSEC in very influential arenas who charged that the DNS did not need anything like DNSSEC and that the time for the type of technology like DNSSEC had come and gone.

We went back to the drawing board, asked ourselves some very tough questions, and still came up convinced that the way to secure the future of the foundations – namely DNS – was through DNSSEC. Since announcing our plans in June to implement DNSSEC, we have naturally been following related news and happenings. As we mentioned in the press release a new DNS vulnerability was discovered since our plan was approved.

Based on the current discussion about the Kaminsky attack on DNS, the Federal Office of Information Security (BSI) in Germany has issued a press release today mainly targeted toward patching DNS-servers but also stating that the final solution has to be DNSSEC.

The press release states:
"Um das Domain Name System nachhaltig zu verbessern, empfiehlt das BSI die Einführung der DNS-Erweiterung DNSSEC, bei der die DNS-Einträge mittels kryptographischer Verfahren auf ihre Gültigkeit geprüft werden."

The *non official* translation:
“To improve the Domain Name System in the long run, the BSI recommends the implementation of the DNS-extension DNSSEC, which checks the validity of DNS-entries using cryptographical methods.”

The news of the existence of vulnerabilities in DNS is unfortunate, but we do have a long-term solution that according to many independent experts would work: DNSSEC. Perhaps it’s time for the critics to take another look?