S4 Call For Papers
AAA  AAA 

Major DNSSEC Deployments on the Horizon?

It looks like the DNS service for a few top level domains will be more secure in the future.  Announcements, by way of Dark Reading, have been made that the .org, .uk, and .arpa will soon be turning on DNSSEC and joining .swe (Sweden), .br (Brazil), and .bg (Bulgaria ).  While DNSSEC doesn’t solve all the security problems with the DNS system (in fairness it was never designed with security in mind, and it shows), it does solve a lot of them.

For those of you who don’t know, DNSSEC is an extension that allows DNS responses to be digitally signed, assuring that they are from an authority, and that they haven’t been tampered with.  As phishing and browser exploitation become bigger and bigger parts of security everyday, old attacks like cache poisoning and DNS spoofing that were once only used for hacker pranks have become a bigger part of very real attacks and vulnerabilities like this Apple Update Vulnerability from last year.

So does this mean we’re going to see DNSSEC on the .com tld soon?  Probably not for quite a while, but its a good sign when larger domains like .org and .uk are making the move.

Aside from the specific issue, the process of securing the DNS system is an interesting case study in relative cost of building in security versus patching in security.  As anyone who’s worked in IT or software development can tell you, the former might cause some temporary pain, but the latter qucikly turns into a nightmare of backwards compatibility, feature creep, and a significantly higher cost.  And that costs only becomes larger the more heavily deployed/entrenched the existing solution is.

Moral of the story is the same as it usually is, either develop/deploy with security in mind or at least be aware of where its lacking and mitigate the threats as much as possible.

Author: Daniel Peck
Posted: May 5th, 2008 under Uncategorized.
Comments: 1

Comments

Comment from Philip Huff
Time: May 6, 2008, 8:08 am

Nice article. I’m glad to see this issue getting some airtime.

In fairness to the creators of DNS, the cryptographic mechanisms of today were not available at the time of its design. I believe DNS only came on the scene in the early eighties. At this time, public key cryptosystems had not taken hold, and crypto was still heavily under the thumb of the NSA (i.e. weak key lengths, supposed backdoors, and export restrictions, OH MY!).

Also, the major issue with DNSSEC is its hierarchical nature. Even if all the root servers deployed it (which I believe they do), most DNS attacks occur at the lower levels. Unfortunately, the realization of DNSSEC requires full saturation. Even if I implemented DNSSEC on my domain, if the client didn’t require a signed response, then the security would be much the same. It would be like running NTLM/Kerberos on your corporate network.

So we are still a far cry from “securing” DNS. It will probably take something like Microsoft setting the default config to only accept signed DNS responses. However, we can all be good security admins and practice what we preach in the meantime.

Write a comment