Politics and technical conflicts prevent a systemic solution to DNS security. So patch your DNS servers now! Think of the children!
Before we go anywhere else with this, if you haven't yet patched your DNS
servers against the
DNS spoofing bug revealed earlier this month
, you've made a big mistake.
Drop everything, cancel your vacation and patch it now. The news and blogosphere
are full of advisories, such as this one
, warning of the DNS equivalent of earthquakes and tidal waves
if you don't patch. They're not exaggerating. An attacker could poison your DNS
cache, making queries for one site go to another under their control. It's a
really bad situation.
Doesn't it kill you that problems like this can crop up all we can do is to
install potentially disruptive software patches? It's not right, there should be
a systemic solution for critical infrastructure like DNS. And there is. It's
DNSSEC is a standard for authenticated DNS, where DNS zone data is digitally
signed and clients can check public keys against it to verify that the data in a
reply actually came from the domain it claims to be from. Late in 2007 I wrote
about how DNSSEC
is not all that it was cracked up to be and, in any event, will never be widely
implemented because of political problems
. But it does have its advocates,
many of them in important positions in standards bodies, and it does have some
arguments in its favor. For example, it should, in principle, defeat all cache
poisoning attacks. This is not nothing.
ICANN took the opportunity, given all the attention focused on what could
turn out to be a severe crisis in the DNS, to issue a
document reiterating their positions on and status of deployment of DNSSEC
especially with respect to signing the root zone. They've got a point about the
security relevance of DNSSEC to the current crisis, but they gloss over all of
the problems that I talked about in my previous column.
The ICANN paper focuses on the arguments in favor of DNSSEC, including
backward compatibility, meaning that DNSSEC servers can also serve old-fashioned
unsecured DNS. It also discusses all that ICANN and IETF organizations like the
IAB have done to implement what they can of DNSSEC into the public DNS. Several
top-level domains have already been signed (.SE for Sweden, .BR for Brazil, .BG
for Bulgaria and .PR for Puerto Rico) and several others are preparing to do so
(.ORG. .UK. .CZ for Czech Republic and .GOV). There is even a signed testbed
implementation of the root zone built by ICANN for testing with signed TLDs.
The paper also discusses several moves ICANN is making, some in cooperation
with the IANA and IAB, which it says will require the consent of the US
Department of Commerce. For instance, signing the .ARPA zone and, of course,
signing the root zone. .ARPA is an infrastructure zone used for certain
technical purposes, such as looking up other addresses. A
blog in CircleID
by Patrik F???ltstr??Ã©m (a
senior engineer at Cisco)
takes issue with some of these claims. I don't
know who is right on the legal stuff, but it all goes to show what a hopeless
mess the whole DNSSEC situation is. I think even if all the relevant governing
bodies-ICANN, the IAB, the IANA, even the DOC-were to agree on signing the root
zone, it still wouldn't happen. And if it did, there's plenty of reason to
believe it wouldn't be widely followed by major DNS resolvers.
It's hard enough to get the DNS community to stop using ancient versions of
BIND with lots more vulnerabilities than the new one just revealed. Many
organizations undoubtedly have old DNS servers running that they don't even
remember they have. And we're not even talking yet about all the old,
unsupported embedded devices that act as resolvers. Imagine implementing a new
DNS standard that not only requires upgrading all that software, but probably
upgrading the hardware too. Maybe our children will see it happen.
But in the meantime, we do have a bad situation on our hands. So patch now.
Unless you're using OS X Server, in which case your operating system vendor has not
yet issued a patched version of the DNS server
Security Center Editor Larry Seltzer has worked
in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack