Web site impersonation could become as great a risk as ID theft, Paul Mockapetris, the co-inventor of DNS warns. Waiting in the wings is a better security standard for the Internet"s Domain Name System. It"s called DNSSec, and it uses digital signatures to guard against impersonation. But political wrangles are holding up adoption, Mockapetris claims.
A denial of service attack last October which took out seven of the Internet"s 13 DNS root-name servers last October, highlighted the fragility of the Internet"s addressing system. Mockapetris, chief scientist at Internet infrastructure firm Nominum, reckons the threat has been overplayed: people are neglecting greater, related risks, he told us.
Since the data in root-name servers changes infrequently a denial of service attack has relatively little impact, unless it goes on for days, he argues. That"s because key data is cached locally by large ISPs and enterprises. However an attack against country level DNS, or worse, a successful attempt to counterfeit DNS data would have far greater impact. To date there have been few such attacks, apart from the recent onslaught against the Al-Jazeera network. But the current DNS system provides no guarantees against impersonation and must be updated, Mockapetris argues.