Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


DNS Vulnerability Crisis Brings DNSSEC To Forefront Again



 By: Larry Seltzer
2008-07-26
Article Rating:starstarstarstarstar / 3


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Politics and technical conflicts prevent a systemic solution to DNS security. So patch your DNS servers now! Think of the children!

Before we go anywhere else with this, if you haven't yet patched your DNS servers against the DNS spoofing bug revealed earlier this month, you've made a big mistake. Drop everything, cancel your vacation and patch it now. The news and blogosphere are full of advisories, such as this one from Microsoft, warning of the DNS equivalent of earthquakes and tidal waves if you don't patch. They're not exaggerating. An attacker could poison your DNS cache, making queries for one site go to another under their control. It's a really bad situation.

Doesn't it kill you that problems like this can crop up all we can do is to install potentially disruptive software patches? It's not right, there should be a systemic solution for critical infrastructure like DNS. And there is. It's called DNSSEC.

DNSSEC is a standard for authenticated DNS, where DNS zone data is digitally signed and clients can check public keys against it to verify that the data in a reply actually came from the domain it claims to be from. Late in 2007 I wrote about how DNSSEC is not all that it was cracked up to be and, in any event, will never be widely implemented because of political problems. But it does have its advocates, many of them in important positions in standards bodies, and it does have some arguments in its favor. For example, it should, in principle, defeat all cache poisoning attacks. This is not nothing.

Resource Library:

ICANN took the opportunity, given all the attention focused on what could turn out to be a severe crisis in the DNS, to issue a document reiterating their positions on and status of deployment of DNSSEC, especially with respect to signing the root zone. They've got a point about the security relevance of DNSSEC to the current crisis, but they gloss over all of the problems that I talked about in my previous column.

The ICANN paper focuses on the arguments in favor of DNSSEC, including backward compatibility, meaning that DNSSEC servers can also serve old-fashioned unsecured DNS. It also discusses all that ICANN and IETF organizations like the IAB have done to implement what they can of DNSSEC into the public DNS. Several top-level domains have already been signed (.SE for Sweden, .BR for Brazil, .BG for Bulgaria and .PR for Puerto Rico) and several others are preparing to do so (.ORG. .UK. .CZ for Czech Republic and .GOV). There is even a signed testbed implementation of the root zone built by ICANN for testing with signed TLDs.

The paper also discusses several moves ICANN is making, some in cooperation with the IANA and IAB, which it says will require the consent of the US Department of Commerce. For instance, signing the .ARPA zone and, of course, signing the root zone. .ARPA is an infrastructure zone used for certain technical purposes, such as looking up other addresses. A blog in CircleID by Patrik Fltstrm (a senior engineer at Cisco) takes issue with some of these claims. I don't know who is right on the legal stuff, but it all goes to show what a hopeless mess the whole DNSSEC situation is. I think even if all the relevant governing bodiesICANN, the IAB, the IANA, even the DOCwere to agree on signing the root zone, it still wouldn't happen. And if it did, there's plenty of reason to believe it wouldn't be widely followed by major DNS resolvers.

It's hard enough to get the DNS community to stop using ancient versions of BIND with lots more vulnerabilities than the new one just revealed. Many organizations undoubtedly have old DNS servers running that they don't even remember they have. And we're not even talking yet about all the old, unsupported embedded devices that act as resolvers. Imagine implementing a new DNS standard that not only requires upgrading all that software, but probably upgrading the hardware too. Maybe our children will see it happen.

But in the meantime, we do have a bad situation on our hands. So patch now. Unless you're using OS X Server, in which case your operating system vendor has not yet issued a patched version of the DNS server. Oops.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack





  Reader Comments: DNS Vulnerability Crisis Brings DNSSEC To Forefront Again
>>> Post your comment now!
The DNS Crisis
Hi, I'm Larry Seltzer. Are your DNS servers patched? Does this bug make you any more interested in DNSSEC?
Posted At: 07-26-08
By: Larry Seltzer
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r۸j9km"u#dKb[^L*EAER9eoP/q*6I h4Iȹ kL.̤dj]zg{oHR}o?e\o2!uk\4=GRhaتetj#<c)?;4<{'sa]dU~jʷ@oǮ=do&,7Q7T9'`>6C͛Px>Ґ궫m"jlˡ,kО~/푪U˅R5WYEa {4كSdu{Vn>=ϕUU? ?05p;Xb* Ees<6sliV_dm+1y R*G8y^4 :&v}j_ tyZ^ T ռS|ɥrǩi̎kx fZ҈ 'EUXۭ^S~2.{vEzv;lM,O!\VUZ(^iFHwNբytqӾlvnsMVI=s p+?Y'V[o=>kx05u=`k2 `RRJJ=OIUL|(u}B2,Odk. !=W<fr2C2qgmw,`a(١?̰o0OL,.όZp-@hZ@L4&H)5?*pΪb.L2w1@ TN` 8 +K޺zLNž*ԃ1S˨UP uv=hTRml4PhQP\so0@[Sh%YѼ:?`= 0. ZMy@eV~m̢Pֵṃm t@=S9ڝf0Ac@\:Z%w2J}'n&K)礡6'>I#r*B1,`@n&9 P䎄Ћb!lbq !s{lbX@=7 >*%qRSٜ(,%1M&u]_ #"09X 5'j hk%ּ f;RjOG4nMhFnf=tA.ϼ3,`b PC"'&s=3"ݲ,%s408.ffZ1kػ?0qya^@ k9hwtݴ٤̩aqb_a"І.L˄t&=V=g40K>h0k8-mys34Nm~|CTfѬt|9Ꭴm|(&]TqαpB&5b$ӠCO <<Ey9&a+Vyt01gPdz׆w z?u/1hOaࣅV1h}5kNWMK) Ú%瀚:$fGᠬ#8ݩj/ƶ< j?^v3am '|\scItQƨʰeؠZ&$sD!˕b4q V0G5WcOc>P!ak"_xHE1y[kpp\xEXt> R+"$[r U4l) zujqMy Mh! /;˃I%$m5X2H]\4vnj}32Y ֣YRr w36ԒG\.fE`qˎxK=B19T>h_8e}cXk ̟~U~^T}f6݁ /mr͙4|rpZEOYvP'Ќ^ː0 ˌ\4BzVS"wI4S 07 ѽU&K)O{ wv?l3j586Va-T ӱ&NJt ҹD\ɩb_awk*AuWta7 XMQiR3nR9\R4˧SK@x(A@\:Z, H0xu揘 {5V{Y\Srj%+snxFk܇v1"eH! #2>Z q[k0M;;pL'+ yԔkfp+sJbOWL3Eޢjzru!IX9Yl3iq}"s-_M0)l%8MG9(Fi(Yk|;` 4fɍ6~7NGդ_Ct<G\Qb_4!#1s*? \xu8WX[@aMɧR-V@X#c փ0 JǸ}3Gn~mkH)Xhb1BJiPx` f|l <^GdA7ȩժZ- `FOW}lw\G_I*%f1f3W̕JyP=+"AҰe /3O}1tOf&קNq" ܾͼ+JOhG2cd!7(&Ci@+%6N11VFz}l;_I|SeFrWr+I-TP*Eۚ;*JH D5V Qռi0T |Y)b< +riUrhOk G+++i-Z2˾i n.[F 4˷ҨK-,sKiʈg _<p]f)tyzņ5/4]sFqq0 )3sKqm'O˸܋[&iԔ5ʊZ*ujER󕼤T'auٞye( {ߍ\eRħ{{k]4=5,L+q3ڰć)5qfTPHwض\,2G?'D.k O ʃR< KdA C8}OU;Aza~^):{,U. Jf_xD`ueSj_4>`-{&%Uރ4 `i0~{D]ڮ ?RjS ګFپ ]2i/`#BAN׹p.ڗ%y;"˖ou׹w9"!5.Y G^99o5M1k0ѭh$ϼ<ž)ctџ3l&zk:R[KٺĂ Ӝ8"J*?3 n J~ ۵}oE9 ^aݚXHE`Cx]L($-W;0ܑ-`=`VɈf{uN αFODB@fp+Z!N1B釯E,%$Ke=2)K|kN: Nx| rψEщm \^ $~K1y,~y<~_dxD %ǻBY3ࠇg0Ig9? $Ey"S`݅ {_[s=$i!^) ln"dUϭkԛC21Cjik.Nm-ŧ-[O|BBaDs 1x$Z`enfJlx8eRHȔ&C8 z>RB&5˓8-+q^OEq ie*ʒ*~q/i'ۡX#ۓ^5.G8 ( k|wsq^ҾsX<8RpHCC}8&AB|Hyg+y5.EY-έ*'?v!hqbwyO0GW吜ejC=?rTem_w\z@ږ' kdqߋآGu*b,_k@ٮ0nae1쭿yjo{ft -z{\.SmNXOxqf=7Fs4Y7>3&=vb˒{^\BZSgOɍ23ǵeS6uەe_|yc!8aa?!iZפqwb`~%e$H~"RС;%|$j^o*]+3GA,kf5 9kJgfnr-hC-?OKo{g¾"CSq j:a)`*98XH!HfN d["+2gNIʹ^x;:0iɨ7Yu(f`,yiТ1>R=-ӇԼxG ^mq.%~W(dR/o}ZtGq@ Ʋx/J)E)ϣE*5@OK4{][|Q{O{쭐kiXxlRQGsk 2~_kO} reMFg}l&3$g2Ї @* v4.߭[8)<A~F<v4*);3x̛Z=4RUCf?uk-ôu,Gi?ʋqVԱQ*6oN{kA|;L-e\1KM__r ^? ??@՞ MW˼2.m>ZQm%Fm?Z{ϗt0a8C~x+F!Y9cXSj L4Ԓk*du_, LC'n$9ڒ+'=oѿT_lI4QN VqQ˚IQ}rx@_r.48bѸwq NOݖBaU8:OͥR'7i~ q4%3&:V^HǨ7x<KAo,hňĞ:359;mzN 6Gc:aPH´ WA>丹 ?R-R*P+ P{J 2w6xfE p(4#(:cE?;G-ƛ:UOb2N?x]x|YJlP. E'4j)(?yF\E-k[ʣ̂<[)ji4էT5: 6:CE|ky =Ov:܇b១ٯh4љ_!F>å'k&uԛuq1_\pa+AWaU &_.^0Ovc=y FwD" HA.RD Qs'"$\dvU^7/)OإИ4mHmOjRp&leI#X°n¨hWG>#M]oγ)TBq[R?;)}Oa|ߖԣ mۗ6EJCB@юX`c$"m{txN̸ַ#(*ɶ4Rx~M8N $\ٮY!4`3lQ%%߿2HeH :Uߔc/K8[gk.LfL=Ćt-W* R{tj_ s(kZXWRsj^SZXE$ɠETύqυ3Q$5-M?;,[7RK #~5fE{GLR/U dvMCAb9:YChcw&gȮ#(/’=VtPvA?7w1˷6F݄†FqӤ=C'qP̋HX`W8zۚ$|kZ7.@tNgExmxZsj! 4'ԙ"c\^(nmΗ7b醍kq@ir<=Jm7SnPcM~Z#޿ /odZC.x^VJ's+0"ʒ,}}LMnѿ<gcT4.?v\|P ;v ډOů1pQQFSJS.5zM\BūdKDw l+'1 z׆vr643*~wzdֆ1Iɼ=ujߦ zu_uXA<) T ߻,jziY֥S.zʢIjjy5Mc3D& d$`h֢ FG(&sG` 8eY@wz1b,᪂zoc/mcH>Mtg,%/^n,Rj9.V- :',5@)YNܓɎa4Wab%6Y.#(`)d#.4 "6;@fh=]vGeٻggV=esށ7>k ţ+hg!gna!s6C'!iC{AߢNceE_Du/ 2à="L5զ0aU :j6MnϟcWr@~RB~q/كdĻfG?w$¤t'O,7O v2*Ero 98j -DVp5jnco/|]. RNk(G>şË𪙲R-g Nb,.\DU,XmN>;>}Y ۢ/TiRWǽ|;݈(es7(aǢƮ(\br-qaIz>*}ψ$!9y8)ʊbNk@`b[ &$lT!/q/r~cCˊ>^ "KC.CAKf,۝jR׃0|A}NfNf^aW5T1\sUe5b;]C-4tAj-bIALc2ķ>u4GpkDxEl8tlNz ԡB9PW-WRgxÜOбX6ӪbjƊXU0XfzZ5>4lzZEM` nJ*.қP 37:QbY3Y^BO Aa,(KzbuѼ~ -hR?d_b~DR&igI*.5@4`},hg\$Sh;|%_.ϑRr6_\Aj{Ji%W0O>nlx&;(v h:h5 `.=$w{b̤7b?< nM9}撇 krkEVIr# -@GE슍Lb+=Aq[7GF\n^uE @&=Cym yh;r {ti q39 Cb_¼" 2, r>Yl ̎q|ٛ 0>?rБ`"'r)sncTADu2D?X2*%bc@9 xE ?].nrj5c-i`I; aNr:z>v( I>GF@0,ݜ1f;m8wo RLh/tz(: ;+?-Px,[{GǙ9fRf7st<_b^޿J&:KD, D "}AmР=?~e ԍM)Asamf⩔)'6h`k̃2Eܹ]ez?6uwe~qjt:C<25| WkP>Z9;YG71\N1'?v5]&us \bHQ*cB4_ Dqwpw&ɈO`>$Bc|EW\E)@k?s]+J1v`=;pȉ=L:ϴ/Sҡf)_ sfE\@/R/~/R{H"@)yyBȣ) S ,% HHILKLȟN|ȗ+W)寁~S K޿ _?}}Jϐ9-9Sw7i@7){ߤwBNR!HoY NOX8)L8^%iOi鰄cˬ,{}ntE Oq>0+qLw%,,hcENJ)&~Qg΂'fo{44Ɔ !iSz Ӯ;'"%YØܺCz̈n~u) sҷje*m3qj@ @8:pۭo㦠Ǜ]߯-/: 7.p[Z;Gõ;ZWtefP}vdmoCd x$ωٟ8};]v ߊƄ+,0yX HH\.h7O{r n~mOwk/Ƈhͦ<{2_Shy@O,ܙ{KX&|f+g F.@#dϽC!E |7.k<~,f]'2\¯3 &W(;~'Jk>U5~ɱi (V1 EJ(# g#1 L;-aJ.$x*|v#@%8>cc:HOL-sm{rlkYW6u7L2/j\n/tA>7q]v`;@Mx #Ä IRem^#%C>>$ I[P>>x((" "kHH "s{D|%ir=Sn3!-(rl?lƄQ] pWL1}+ȑP‚4uWdzԤĶP#lH6g=Uw"]/;E/="c -?EbAt}59Vi~jF߭eh# W BÑ|H Y8[T"&`Lu& 1o!b):jjtw[i>ZOe;BI<ŷ`5{|X%.eֳx6YбߚR vQ#!mΠb/;ى[KV9j[۲B/H& ]aҳጔ%i$0|R/lXw|6(69Bh{K}ow ,ARh6vo>OA~Xfxٱqp0Ŵ¡ѶX QO~n\{(kLk,>ipG1Su Ѫr.Y|cx 'w} nxqY\j~_v{[>/B`9m<` أ|FKo@;jg(N~")1 o&G[00cx:WZ=W-q>2ePCik5\K Eq sXǼȖWWRұ!;t/fD;8@ ca ;fcXJ ,ozԝŒ'TS*|J> T.v>ϝϯlDp\NlgL_txA 1Xq^ @;cv7E' Cⳃ0ЕDM3z(ͦ,1F A(ixxzT<1@T,nh1 d'kEI C399I>d>GjF7Ltu dZ\_م5&3kOK~6p 99.s@OI›}XN1}aFot1G W3.rW=bMd|}9o-]5z̅sٓN/ܥ|P QT']fKJTqO|j8H>w#3057N>~|lJAFyiNQy:V ]5xFg .N|>Cy6xWy* {15E-;hdn+cREa qZR*.{gف#|(6dSi29PJ})qŭ˙w6c!f1oƝllt n!%96L]_i EW(