2009: The Year of DNSSEC in America?
Vulnerability of the underlying Domain Name Service (DNS) system have become widely acknowledged. The most public of these being the Kaminsky exploit which made the front pages of the New York Times in July.[1]
The basic functionality of DNS that most of us are exposed to is the so called "phone book" service. DNS maps the machine readably internet protocol addresses (example 141.142.20.145) to human-friendly addresses such as www.lookmeup.com.[2] This master lookup function is essential for most mainstream use of the Web and as such efforts to "spoof" sites have increased as on-line commerce grew. Basically, spoofing involves keeping the machine readable address the same while altering the IP addressed that is attached to it. Functionally, this allows malicious hackers to gain access to private data while the end-user believes they are providing this data to a trusted broker (commerce site, bank, etc). It is estimated that some 10% of the world's 176 million web servers are currently vulnerable to this type of attack.[3]
DNSSEC was created to deal with some of the acknowledged vulnerabilities and weaknesses of the current DNS system. DNSSEC stands for DNS Security Extensions and adds security to the DNS system by providing origin authentication of DNS data, data integrity, and authenticated denial of existence. The changes are an important step forward in securing today's Web and the only known way to address the Kaminsky exploit.[4]
The most important adoption of DNSSEC in the United States will come in response to an August 22nd memorandum from the White House Office of Management and Budget that requires all top level .gov domains to use the system by January 2009.[5] The adoption by the US government is seen as being instrumental because prior to this effort there has been little interest in DNSSEC in the United States.
As Network World writes:
"The OMB mandate is "significant, but it’s the tip of the iceberg,’’ says Rodney Joffe, senior vice president and senior technologist for NeuStar, which sells the UltraDNS managed services suite and operates several top-level domains (TLDs) including .us and .biz. "All the other TLDs are now scrambling to work on DNSSEC. It’s a sea change. There is no question that 2009 will be the year of DNSSEC.’’[6]
Vulnerability of the underlying Domain Name Service (DNS) system have become widely acknowledged. The most public of these being the Kaminsky exploit which made the front pages of the New York Times in July.[1]
[1]"With Security at Risk, A Push to Patch the Web", John Markoff, New York Times, July 30, 2008, With Security at Risk, a Push to Patch the Web - The New York Times
[2] "Domain Name System", Wikipedia, Domain Name System - Wikipedia, the free encyclopedia
[3] DNSSEC Deployment Initiative, http://www.dnssec-deployment.org/ for vulnerability % and Web Server estimate from "August 2008 Web Server Survey", Netcraft, http://news.netcraft.com/
[4] "What is DNSSEC", DNSSEC.Net, http://www.dnssec.net/
[5] See 3 DNSSEC Deployment Initiative
[6] "Feds Tighten Security on .Gov", Carolyn Duffy Marsan, September 22, 2008, Feds tighten security on .gov - Network World
Comments
How broken is DNS?
I've heard coffeeshop-level arguments (though these are coffeeshops in Palo Alto and Los Altos) that Kaminsky is just more proof that the underlying architecture of the Internet needs to be rebuilt-- that nothing short of restarting with a clean sheet of paper will solve the basic security problems. Will DNSSEC be enough?
Alex Soojung-Kim Pang
How Broken is DNS?
I think that DNNSEC is a first step in going through a more thoughtful examination of the entire trust concept that the Internet is built on. The primary problem, in my viewpoint, is that the initial networking design done by DARPA was really mainly focused on redundancy and survivability from an external attack, not internal mischief.
Jerry Sheehan
Manager for Government Program Development @ Calit2/UCSD
phone: 858.336.2622
yahoo: calit2s
skype: zenchaos
twitter: www.twitter.com/zenchaos