DNSSEC Will Drive Certificate Market

With the landmark deployment of DNSSEC in the root a little over a month ago and the acceleration of top-level domains (TLDs) jumping onto the DNSSEC bandwagon through the end of this year and 2011, a big question remains: what does this protocol improvement mean for the digital certificate market?

DNSSEC offers essential changes to the Internet name space infrastructure that will enable future Internet architects to ensure that a domain is what it claims to be. But that doesn't mean certificates will fall by the wayside.

"Some people in our community believe that now with DNSSEC, certificate authorities don't matter anymore," says Dan Kaminsky, chief scientist for Recursion Ventures and the researcher best known for two years ago blowing the lid off a major DNS vulnerability that would enable attackers to easily perform cache poisoning attacks. "I tell you nothing could be further from the truth. Certificate authorities are now so much more important than they've ever been."

Russ Housley, chair of the Internet Engineering Task Force (IETF), concurs. "The DNS memory becomes a vector providing the authenticated integrity-protected path for these certificates," Housley says. "We'll be working in the future with that in mind. So I think you need to think of these as complements."

As Kaminsky explains, DNSSEC improves the ability of engineers to authenticate domains, but not necessarily brands. That's where certificates will continue to factor into the process.

"There are domains and there are brands and they are not in fact the same thing," he says. "DNS by its nature is an open name space, and as long as someone is not using a domain, you're allowed to register it and once you have that domain you can put whatever you want under it. That's how it works and no matter how much you kick and scream, nobody can say we're going to make it impossible for a name that looks like your bank to show up in the DNS. That's not something that is technically feasible."

Kaminsky points to extended validation SSL certificates as a perfect solution to this problem, as the certificate authorities (CAs) validate the true identity of the certificate holder, better authenticating the actual brand, rather than the domain. He says that DNSSEC is complementary to the extended validation certificates, fixing flaws that threatened the sanctity of this means of authentication.

"Last year Mike Zusman and Alexander Sotirov demonstrated that while extended validation certificates can do a tremendous amount of good, an attacker who has a non-extended certificate for the same name can actually interfere with the communication and get their malicious content to show up with a green bar and there was no fix possible then," he says. "Now with the root signed, DNSSEC can actually make assertions [that] this is the only certificate for this domain."

According to Jon Oltsik, security analyst for Enterprise Strategy Group, it may take time for organizations to truly recognize the complementary nature of DNSSEC and certificates so that it makes a sizeable bump in the market.

"I think over time DNSSEC really accelerates the certificate market, but I think in the short term people will do a lot of self-signing," Oltsik says. "It's likely to be a homegrown effort that will turn into a scalability mess and then into a market."

But growth in the certificate market is imminent, he says, and not just due to the adoption of DNSSEC--he cites other drivers such as IPSec, SOA, and Web services adoption as additional factors at play.

"I think DNSSEC is just one driver here," he says. "The market for certificates is going to continue to grow over the next few years."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.