Like all public networked systems, the system of public domain name servers is threatened by a variety of purposeful attacks, both malicious and mischievous, by individuals or groups that aim to disable or divert their operations. The operators of the DNS are responding to these threats, but not all the desirable steps to ensure security have yet been implemented.
Denial-of-service attacks attempt to overwhelm key name servers and their links to the Internet with so much traffic that they are incapable of responding to legitimate queries. The root name servers have the capacity and capability to respond to many times the normal number of queries they receive, and have alternate connections to the network if some are blocked. Their ability to respond to attacks has been improved by some operators’ recent addition of multiple distributed copies (called “anycast” servers) of the base name servers, increasing both capacity and connectivity. In anticipation of future denial-of-service attacks and normal growth in demand, and to improve service globally, anycast server deployment should be expanded.
Notwithstanding the deployment of anycast servers and installation of backup servers at remote locations, the concentration of root name server facilities and personnel in the Washington, D.C., area and, to a lesser extent, in the Los Angeles area is a potential vulnerability. The need for further diversification of the location of root name servers and personnel should be carefully analyzed in the light of possible dangers, both natural and human in origin.
In response to the threat of alteration of messages being transmitted among name servers, the technical community has developed DNS Security Extensions (DNSSEC), which uses digital signatures to verify that the content of a message to or from a name server arrives unaltered and that its origin is as stated. DNSSEC only gives assurance that what was sent was not changed during transmission; it cannot and is not intended to assert that the message is factually correct. For example, DNSSEC has no