Submission + - Google Implements DNSSEC Validation for Public DNS (securityweek.com)
wiredmikey writes: Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn’t actually perform validation.
“With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,” Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post.
In a recent column, Ram Mohan explained that while DNSSEC does not solve every Internet-based security issue, it does offer a more advanced level of user security for directory look-ups than is currently in use. “For example, DNSSEC can ensure that a Web browser knows where to find the site you are trying to reach,” Mohan explained. “Browsers can employ this information to help protect users from phishing attacks and from being hijacked. Although browsers don't use DNSSEC in this way today, they easily could (and probably should).”
According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013.
“Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,” Google’s Gu said.
“With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,” Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post.
In a recent column, Ram Mohan explained that while DNSSEC does not solve every Internet-based security issue, it does offer a more advanced level of user security for directory look-ups than is currently in use. “For example, DNSSEC can ensure that a Web browser knows where to find the site you are trying to reach,” Mohan explained. “Browsers can employ this information to help protect users from phishing attacks and from being hijacked. Although browsers don't use DNSSEC in this way today, they easily could (and probably should).”
According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013.
“Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,” Google’s Gu said.