This fall, George Mason University will become the new home of one of the Internet’s venerable monitoring and measurement services: the Domain Name System Security Extensions (DNSSEC) Deployment Maps. This service plays a prominent role in chronicling the evolution of a critical part of Internet security and has been under the stewardship of the Internet Society (ISOC) since 2014. The maps were originally developed by Shinkuro, Inc. with sponsorship by the Department of Homeland Security (DHS). The transition to Mason is being facilitated with sponsorship from the Internet Society, The Internet Corporation for Assigned Names and Numbers (ICANN), and Verisign, Inc.
Eric Osterweil, Assistant Professor in the Mason Department of Computer Science in the College of Engineering and Computing, has been instrumental in bringing the deployment maps to Mason, reaching an agreement to host it at Mason’s Center for Assurance Research and Engineering (CARE, directed by J.P. Auffret) and the Measurable Security Lab (MSL) in the Computer Science department. “We are excited to provide a new home for this important activity,” Osterweil says. “People all over the world access the deployment maps and will now associate them with Mason.”
The deployment maps service tracks how DNSSEC has been deployed worldwide for top-level domains and has been a staple of the Internet security community for years. With almost 17 years of deployment, the maps database is fertile ground for conducting basic research and connecting students with real operational cybersecurity issues. Osterweil notes that the security DNSSEC provides to Internet users is incredibly essential, even if in the background. “The average person will never know about DNSSEC. It’s a lot like saying, ‘What’s the formula of the asphalt I drive on?’ It’s really important, but not important that I have any idea about it.”
DNS is the Internet’s de facto name-mapping system, translating domain names (like gmu.edu) into IP addresses and other identifiers. However, data from the DNS is not inherently secure, as “the IP address of a DNS response can be easily forged, or spoofed,” according to ICANN. DNSSEC enhances DNS with authentication protections, using public-key cryptography, so users can be confident that website visits and emails connect them to entities they want to reach. DNSSEC prevents attacks like cache poisoning and domain redirection, which can result in fraud, malware distribution, and theft of personal, confidential information.
“Internet administrators and researchers anywhere in the world receive weekly email summaries of the current DNSSEC deployment. New services will be added when the system is fully transitioned to George Mason,” says Osterweil. The maps are used by the Internet operations, standards, and policy communities as a resource for the current (and past) state of deployment. “We really want to take the deployment maps service and evolve it into an observatory for this critical infrastructure.” As part of the transition to Mason, Osterweil is establishing an external advisory board, composed of industry stalwarts and chaired by Stephen Crocker (an inductee into the Internet Hall of Fame, author/editor of RFC 1, and founding chair of the ICANN Security and Stability Advisory Committee, SSAC), to help steer and evolve the service. With their cooperation, the deployment maps will be evolved and integrated into a new holistic Internet Namespace Security Observatory in CARE at Mason.
“We are glad that George Mason University is taking on this important work,” said Dan York, director of online content at the Internet Society. “The maps have been a useful way to track the state of DNSSEC deployment over many years. We look forward to seeing how GMU evolves and improves the maps further.”
Osterweil is in talks with multiple industry partners and traditional sources to help support research using the Deployment Maps. Further, he is planning to leverage the service for its research value and use it to enhance teaching, as well as a hands-on experience for student researchers. “Analyses of historical datasets of critical infrastructure like DNSSEC are critical in understanding large-scale events and behaviors. The Internet Namespace Security Observatory will synthesize measurable properties of Internet naming systems (such as DNS, DNSSEC, DANE records, etc.) and provide measurable telemetry to evaluate how well dependent systems, protocols, and users are able to validate security protections.”
Osterweil and colleagues announced the transition of the maps publicly at the ICANN’s 74 meeting in The Hague, Netherlands in June.
Founded in 1992 by Internet pioneers, the Internet Society is a global non-profit organization working to ensure the Internet remains a force for good for everyone. Through its community of members, special interest groups, and 130+ chapters around the world, the organization promotes Internet policies, standards, and protocols that keep the Internet open, globally-connected, and secure.
The College of Engineering and Computing at George Mason University is a fast-growing force for innovation in technology and education. The college boasts over 10,000 students in two schools, 37 undergraduate, master’s, and doctoral degree programs, including several first-in-the-nation offerings. As part of a nationally ranked research university, its research teams earned more than $61 million in sponsored research awards in the last 12 months. Located in the heart of Northern Virginia’s technology corridor, the college stands out for its focus on emerging areas including big data, cybersecurity, healthcare technology, robotics and autonomous systems, artificial intelligence and machine learning, signals and communications, and sustainable infrastructure.
ICANN’s mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or another device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a nonprofit public benefit corporation with a community of participants from all over the world.
Verisign, a global provider of domain name registry services and Internet infrastructure, enables Internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key Internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global Internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit verisign.com.