University of Pennsylvania Becomes First U.S. University to Deploy DNSSEC (DNS Security)
November 2, 2009 :: Shirley Ross, Information Systems and Computing
The University of Pennsylvania’s Information Systems and Computing (ISC) division has announced its successful implementation institution-wide of Domain Name Security Extensions (DNSSEC) technology. The upenn.edu DNS zone was signed with DNSSEC in early August 2009. Penn is part of an Internet2 and Educause community of early adopters of DNSSEC technology and is the first U.S. university to implement institution-wide.
DNSSEC addresses many security vulnerabilities in the Domain Name System (DNS), the part of the Internet that translates user-friendly names, such as www.upenn.edu, into the numeric network addresses required to deliver information on the Internet. These vulnerabilities have gained greater prominence in recent years as malicious parties have increasingly found ways to exploit the vulnerabilities, using them to distribute falsified DNS information to re-direct Internet users for the purpose of fraud and other criminal activity. DNSSEC provides the ability to incorporate digital signatures for names in the DNS, which can be used to verify their authenticity, and thus foil these attacks. Additionally, DNSSEC enables new capabilities in network applications by allowing them to securely publish a variety of cryptographic keying material in the DNS.
A few U.S. universities have deployed DNSSEC in parts of their infrastructure (testbeds, research departments, or other subdivisions). But Penn is believed to be the first to have completed a DNSSEC deployment on a campus-wide scale. In fact, Penn’s experience with DNSSEC goes back much further. In 2006, it also deployed DNSSEC at MAGPI (Mid-Atlantic GigaPop for Internet2), a regional research and education network it operates as part of the Internet2 project, and which serves most major universities and colleges in the eastern Pennsylvania, New Jersey, and Delaware regions.
Additionally, Penn is working with Educause on its plans to deploy DNSSEC in the EDU top level DNS domain, which Educause and Verisign operate under a co-operative agreement with the US Department of Commerce. Penn is one of the earliest participants in the EDU DNSSEC testbed, already in progress. When the project is completed, educational institutions across the country will have the ability to publish a digital signature for their EDU domain names.
Shumon Huque, an IT Technical Director in ISC’s Networking and Telecommunications organization, is leading Penn’s DNSSEC deployment efforts and participation in the Educause testbed. “Higher education can take a leadership role in securing the DNS,” said Huque. “If a few universities in the advanced networking community can fully deploy DNSSEC and share experiences, we can make broad deployment more straightforward for the larger community.”
Anytime/anywhere access to the Internet is critical to higher education’s ability to conduct business.
“The University of Pennsylvania and ISC are honored to have this opportunity to contribute to enhancing internet security. We hope the work we and our colleagues at Louisiana State University, UC Berkeley, Cambridge, and others are doing on this project will produce valuable new knowledge that ultimately will be useful to other education organizations around the world and that it will also translate into useful information to be used by business and industry, making the internet a better and safer place for all of us,” said Penn’s Vice President of Information Systems & Computing, Robin Beck. “Having a safe internet is absolutely critical to the Penn community, which depends upon web-based technology for a myriad of critical functions and services, including our Undergraduate Admissions system, Student Financial Services, Course Registration, and submission and award of research grants, to name just a few.”