Olaf Kolkman, a Dutch DNS expert, is the new chair of the Internet Architecture Board, a panel of 13 leading network engineers who provide technical oversight to the IETF, the Internet's premier standards-setting body. He's also CEO of NLnet Labs, an Amsterdam research group focused on DNS security.
After taking over as IAB chair at an IETF meeting in Prague last week, Kolkman corresponded with Carolyn Duffy Marsan and shared some thoughts about his new role, why it's taking DNSSEC (an approach to authenticating DNS traffic) so long to catch on, and topics the IAB may be tackling over the next year or two.
What do you see as the biggest challenges facing DNS and what needs to be done about them?
The DNS protocol is over 25 years old. When talking about the protocol itself, it has proven difficult to extend because any extension to the DNS needs to be fully backwards compatible to be able to integrate the extension into the deployed installed base and the way that the Internet currently functions. On the other hand, the DNS protocol has turned out to be a success and is at the core the most popular and scalable lookup service on the Internet. People are therefore looking at the DNS to provide lookup services for many applications.
Different applications have particular requirements of the DNS. The challenge is to make the tradeoff: Is the DNS the appropriate tool to do the job?
Can the requirements that are put on the DNS be provided without straining the system? And can potential extensions that are required be designed backwards compatible and be realistically deployed?
Two examples of new applications that explore the boundaries of what the DNS protocol can provide are the ENUM protocol that provides a discovery service for services that are tied to telephone numbers, and the DKIM protocol that uses the DNS to store policies that can be used, for instance, to cope with spam.
Your technical expertise is in DNSSEC, an approach to authenticating DNS traffic that has not been widely adopted across the Internet. Do you consider DNSSEC a failure?
No. DNSSEC has been talked about for over 10 years. The so-called DNSSEC-bis specification was only published a year ago. It is taking a while to percolate into software, and for that software to percolate into the market, and for people to adapt their environments to deploy and operate DNSSEC. The deployment is hindered by a chicken-and-egg problem. For most application developers, DNSSEC is not on the radar because of the lack of infrastructure, while for the providers of infrastructure there are not sufficient users to justify their expense.
Fortunately there are a number of top-level domains (TLD) that recognize the importance of DNSSEC and have stepped up to the table. As a result, some of the larger TLDs have been pushing for a modification to the DNSSEC protocol that slowed down deployment. This modification is a tweak to the protocol that has just been finished. Other TLDs, like .SE [Sweden] and .PR [Puerto Rico] already have DNSSEC deployed. More DNS infrastructure will need to be signed -- more TLDs, the root zone and zones at the corporate level. Besides, applications will need to start using that information. It is not realistic to expect DNSSEC to be deployed overnight.
To understand the relevance of DNSSEC, one should keep in mind that the DNS is used in almost every situation where users want to access a service somewhere on the Internet, and DNSSEC provides protection of that utility. I think it is important to go through the exercise of determining how important integrity and authority of the DNS is to the services that you offer. As an example, with the ENUM protocol, what would happen if the mapping from a telephone number into a service was modified? Or, what would happen if the name to address mapping for your stock ticker service was modified? Would you notice the padlock in your browser?