One of the most critical parts of the Internet is managed by one small company.
To browse a web site, you have to obtain the Internet Protocol address of its web server . When you visited my web site just now, your browser went to a domain name server (DNS) to gets its address. The name server told your computer my address (198.105.244.23) so you could connect to my web server and read this blog. If DNS fails, you can’t find my web site even when it’s working fine.
DNS is vulnerable to various security threats, such as reflection attacks and poisoning attacks. Attacks that knock a DNS server offline, such as distributed denial of service, make it harder for people to reach web sites. But for most ordinary DNS servers, the impact of the attack is localized to a particular Internet service provider, geographic area, or community of users.
The weakest link in DNS is top level domains (TLDs), the suffixes on site names like .com or .net. If you access my web server www.taprootsecurity.com, and your primary DNS server doesn’t know its address, then it contacts a more authoritative name server that knows all name server addresses for the .com TLD, asking it to identify a name server for taprootsecurity.com. If there is no such authoritative name server available, the lookup fails. Error: Site not found!
So, if an attacker could disable all of the top level .com name servers, every .com web site would be effectively inaccessible in less than hour (when DNS caches expire). Ditto for .net, .org, etc. And yet, most of these top level domain name servers are operated by one small company.
Six generic top level domains have served as the Internet’s foundation since 1985. Four of them are currently operated by one company, VeriSign:
That’s a big weight to put on the shoulders of a fairly small company. Since recently selling off its core authentication business to Symantec, VeriSign has less than 1,000 employees.
This is what is known as concentration risk, or more colloquially, “putting all your eggs in one basket.” Why attack all the Internet’s web sites, if you can just take down a single name service that lets browsers find them? That would turn most of the Internet dark.
Could this really happen? VeriSign is secretive about security incidents, but on at least once occasion it acknowledged (in a 2010 SEC filing) that it was the victim of intense hacker activity, including “several successful attacks against its corporate network.” VeriSign went on to admit that “given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information.”
Ponder this scenario: In the same filing, VeriSign stated “A failure in the operation or update of the master database that we maintain could also result in the deletion of one or more top-level domains from the Internet and the discontinuation of second-level domain names in those top-level domains for a period of time or a misdirection of a domain name to a different server.”
Luckily the original six TLDs from 1985 aren’t the only game in town. Today more generic top level domains (gTLDs) are coming online. ICANN, the organization that awards new gTLDs to DNS operators, began accepting applications in 2012. Newfangled URLs are starting to go live, such as sites ending in .store and .tv. There was some hope that this might lead to less reliance on VeriSign.
But guess who operates many of the new gTLDs? Yup, VeriSign.
A gTLD operated by VeriSign under the supervision of a diligent administrator can be more secure than .com or .net. A good example is the .bank domain, administered by a company called fTLD and operated by VeriSign. VeriSign was a reasonable choice when fTLD sought a technology partner. No other company can match VeriSign’s experience and expertise in running a large DNS operation. But fTLD can insist on a level of visibility into VeriSign’s security operations, including incidents and defenses, that VeriSign would never provide to the general public. Furthermore, fTLD baked extra security controls into .bank that VeriSign is contractually required to enforce, such as DNSSEC security in all zones, multifactor authentication for registrars, DMARC email records, etc.
ICANN is in a unique position to encourage more DNS operators to compete with VeriSign. For example, their application scoring system could award extra points to applicants who choose other partners. However, they’re not likely to do this unless they start receiving public comments and objections.
ICANN receives objections to gTLD applications from the public all the time. For example, before awarding .catholic to the Vatican’s Pontifical Council for Social Communications, ICANN considered objections from 22 other organizations and individuals, all publicly available here.
Let’s tell ICANN to puts its eggs in a few more baskets.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.