Home / Blogs

DNSSEC vs DDoS Protection: Is It Really a Choice?

Within the last year or two, I’ve heard people express an opinion to the effect that if the domain name industry put as much focus on preventing distributed denial of service attacks as we have on implementing DNSSEC, the Internet would be a safer place.

While there may be a grain of truth there, I suggest that this kind of thinking presents us with something of a false dichotomy.

DDoS attacks are indeed a pernicious problem, and one with which companies increasingly find themselves having to deal. There’s no doubt that DDoS is a serious issue; attacks as powerful as 49Gbps have been recorded. For organizations tasked with providing DNS services for customers with many domains, an attack on one customer often means an attack on all customers.

The origins of DDoS are frequently more widespread and multifaceted than the cache poisoning attacks that DNSSEC can help prevent. Due to the complex web of criminal organizations, hackers, botnets, malware, and spam that are all involved in levying DDoS attacks, there are more questions than answers today to solve this problem. But we cannot afford to allow our worries about one serious security threat to lead us to ignore another. The fact is that while man-in-the-middle attacks such as cache poisoning may be less of a frequency on a daily basis, they are a problem with the potential to be every bit as serious and widespread as DDoS.

The Kaminsky bug reminded us that the DNS is the lynchpin in the Internet’s fragile framework of trust. The cache poisoning vulnerability had the potential to fundamentally undermine the trust that consumers and enterprises have when they transact business or share information online. Whereas a DDoS attack against a domain name generally affects only its target—albeit frequently with some collateral damage—a successful cache poisoning attack could affect potentially millions of end users, none of whom would be initially aware they were being victimized. You may be temporarily inconvenienced if your bank’s website is unavailable, but a non-resolving domain does not shake trust in the Internet to the same extent as discovering the site you gave your password wasn’t really your bank at all.

DDoS is a threat broader in scope, not specific to one protocol, and not limited to the domain name industry. It will require a much greater degree of cross-industry innovation and cooperation to ultimately solve. To the contrary, DNSSEC has already been in development for nearly two decades and presents a fully-formed solution to the cache poisoning problem today. There is complexity to implementation, and many players must participate to fully deploy DNSSEC and get the maximum benefit.

Kaminsky’s vulnerability showed us that DNSSEC is not, as some suggest, a solution is search of a problem. It is a way that the domain name industry and others are fixing a design oversight in the DNS, and preparing DNS for the next decade of Internet usage that must bake-in fundamental security. DNSSEC deployment has seen a huge surge since 2007-8 when leaders like .SE and .ORG (both Afilias customers) committed to enabling DNSSEC. The lesson is that when collaboration can solve a problem, the DNS and domain community can bring the solution to market in a way that is useful for consumers.

So it isn’t really a choice between solving DDoS or deploying DNSSEC. The DNS community faces many security issues on a daily basis and there are surely many new ones just around the corner that we have yet to anticipate. But we should not ignore the problems for which we already have effective solutions, just because there is another problem to solve. The answer is that we need to solve both problems, but deploy the solutions we have today first.

By John Kane, Vice President of Corporate Services, Afilias

Filed Under


The relationship between DNSSEC and DDoS The Famous Brett Watson  –  Oct 1, 2010 12:18 AM

So it isn’t really a choice between solving DDoS or deploying DNSSEC.

Maybe not, but it’s a shame that DNSSEC itself had to be such a great DDoS facilitator: it can act as a DDoS amplifier, thanks to its potential request/response size ratio.

So, while the question we actually face isn’t the one you pose, it’s close. What we have instead is a dilemma: a choice between not facilitating DDoS and deploying DNSSEC. Which of those choices would result in the better overall Internet experience?

Great point Christopher Parente  –  Oct 14, 2010 12:48 PM

That’s a great point by Brett. And while the benefits of DNSSEC don’t arrive until the entire value chain is secured, this negative effect happens as soon as the domain is signed, correct? (this is an assumption, disclosure I’m not an engineer)

No response from the author? Is there no way to address this issue?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign