The potential for DNS session hijacking is undeniable, with the risks that entails of being redirected to systems in the control of a mailicous entity with the potential for SSL man-in-the-middle attacks.

But is the answer really DNSSec? These two UML sequence diagrams show the same recursive query in the current DNS scheme and under DNSSec. Note the vast increase in processing effort and transaction time involved with implementing DNSSec and then multiply that by several hundreds of millions of daily DNS queries.

DNS Sequence

DNS_SEQUENCE_2011-10-11.JPEG

DNSSec Sequence

DNSSEC_SEQUENCE_2011-10-11.JPEG

So, do I have an alternative solution? No, not just yet...