A consortium of organisations have banded together to develop software aimed at making it easier for companies to deploy the DNS security standard DNSSEC. A team comprising Nominet, .SE, SIDN (respectively the Swedish and Dutch Internet registries) and various others have combined to produce OpenDNSSEC, software that the developers claim will reduce the pain of implementing DNSSEC.
There are two problems with DNSSEC, said Nominet senior researcher Roy Arends. "There's a chicken-and-egg problem of why should you invest in signing, when the signatures are not going to be validated? Or why invest in validation when there are no signatures? "
The second problem faced by users, said Arends, is that the DNSSEC is tricky. "You have to do maintenance, you have to make sure that signatures do not expire and keys have to be upgraded
It's like cooking, you can't just leave everything unattended in the kitchen, you have to be involved," added Arends.
However, OpenDNSSEC changes all that. "With OpenDNSSEC, you can walk away and Open DNSS does all that maintenance for you. With DNSSEC there's a steep learning curve. With OpenDNS that problems goes away. Anyone who knows a little bit about Unix admin could handle OpenDNSSEC," he said.
Arends highlighted a couple of key features of OpenDNSSEC. "We've included a policy enforcer to allow administrators to keep tabs on any policy that has had to be written down. For example, you might specify that keys needed to be renewed every three months. This enforcer is not available in any other software that we know of. "
The consortium has also introduced a software version of the hardware security module used by banks. Arends said that the software version would considerably reduce the cost of introducing this level of security, making it an option for people who couldn't afford hardware modules.
Work has just been completed on OpenDNSSEC specification. The consortium has already sent out some preview versions for organisations to work with and there are plans for a beta version to come out in a few months time. The full version of the software should be available some time next year, said Arends.
The work on the specification has been completed quickly, "We started OpenDNSSEC last year with specifying the concepts and then started writing software from scratch. The partners involved in the development are all looking to implement the software themselves.
Arends said that the development of OpenDNSSEC will convert some of the foot-draggers. "We really think that this will make a difference to DNSEC deployment, " he said. He said that by implementing it, adminstrators would have to switch it off to stop using it. "Sysadmins are lazy and want an easy life," he joked. "I used to be one and I know. We want to make OpenDNSSEC so easy, it will actually mean more work if you don't do it.