The DNS remains broken and vulnerable. The urgency of the problem has increased greatly this year and DNSSEC "dweebs" are pleading for signing the root zone.
DNS experts have known for a long time that the
system is another of those old designed back in an era when we didn't think too
hard about security, if we thought about it at all. Like most of those
protocols. DNS is too embedded in existing computers and software to displace
easily, and proposed fixes are going nowhere.
A recent ICANN blog explains in fairly simple
language why the DNS is
. It's worth reviewing if you're not already familiar with the
An example of the "cache poisoning"
attack potential for DNS was revealed this summer in a
bug in almost all DNS servers
found by researcher Dan Kaminsky of IOActive
and others showed a remarkable discipline and coordination in contacting DNS
software authors to arrange for coordinated patch release.
But researchers were quick to realize that the fix
wasn't a fix for all cache poisoning attacks. More will follow and there may be
one some day that will not be easily patched. What do we do? As a practical
matter, the DNS is vital to almost every application on the Internet.
As the ICANN blog says, there isn't really a way to
fix the conventional DNS. The answer is to move to DNSSEC, a system which uses
public key encryption to provide authentication of DNS records for clients.
DNSSEC is not new; the original work on it is about 10 years old. But
deployment of it is quite sparse, and limited by the fact that, to be truly
effective, the whole of the DNS hierarchy up to the root servers need to be
digitally signed. Right now the root is not signed; nor are many significant
top-level domains, including .com.
The signing of the root has been held up by the
usual lethargy with which significant ICANN actions and changes to Internet
infrastructure are done. These things always take many years, preceded by committees
to study how the problem should be addressed, committees to decide on who the
relevant interest groups are and, finally, committees to discuss the actual
problem. The signing issue has been complicated by the fact that it's not
really ICANN's decision to make: changes to the root zone must be authorized by
the U.S. government, and specifically by the NTIA (National Telecommunications
and Information Administration) of the Department of Commerce. Here's their DNSSEC
The signing issue has been complicated by some
politics in that it involves the last vestiges of authority of the U.S.
government over the Internet. 10 years ago ICANN was created to take the
government out of more direct authority (which it ran through contracts with
universities and companies like Network Solutions; click
here for a good story about how that worked out
, but it retained
control over changes to the root zone, including signing the root. Recently the
NTIA solicited input on how signing of the root should proceed; their DNSSEC
page includes that solicitation and the reactions of many parties, including
In the past I've
been pretty skeptical of the prospects for DNSSEC to achieve success
and my arguments still have some merit. It's not hard to see political
infighting delaying the signing, or shaping it into a political compromise
which would impede its effectiveness and trust in it. On top of that there are
just the technical inertia problems: like any other big change on the Internet,
many will ignore DNSSEC as long as they have more pressing problems on their
plate competing for budget dollars.
I'm seeing a
consensus emerging among DNS experts
that, in the wake of the
Kaminsky bug, the signing of the root is more clearly an urgent issue and that
acceptable ways to do it are also fairly clear. The root zone is now
administered by the IANA
(Internet Assigned Numbers Authority)
, a department within ICANN.
IANA has some other ominous responsibilities, such as parceling out IP address
and AS number blocks. Their work is occasionally controversial, such as in how
IP and AS numbers are allocated to different parts of the world; the Wikipedia
IANA page states (without any attribution) that the
relationships between ICANN, IANA and other bodies in these administration
tasks are highly political and controversial
. But I think that generally
they are viewed as a dispassionate and apolitical engineering organization.
It doesn't bother me if ICANN and the IANA contract
out the actual signing of the root to a company like VeriSign, as they
currently do with many root zone operations. VeriSign should enjoy no unique
access or other advantage from this relationship, but I'm sure that's well
understood. VeriSign has significant experience in working with the root zone
and it makes sense to take advantage of that.
Much of my skepticism may have confused a vision of
an all-DNSSEC Internet with one where users and services can provide DNSSEC
properly and interact with others. The former is, as things stand now, pie in
the sky, akin to a vision of all Americans tossing their SUVs for hybrids or
fuel cell vehicles. You can imagine it as a technical matter, but economics,
politics and human behavior say it's just not going to happen.
Be that as it may, there's no good excuse for
ignoring a problem we know to be serious and not seeking progress with the only
solution at hand. Failing to make the DNSSEC infrastructure complete is telling
people that they cannot secure themselves, and represents failure on the part
of decision makers.
Lastly, allowing some trusted agency, probably the
IANA, to sign the root zone, does not represent a loss of authority for the US
government as custodian of the root zone. Rather it strengthens that authority
by showing that the government is taking reasonable measures to secure the root
zone and the rest of the DNS.
A bug like the Kaminsky bug that did not have a
practical solution would be a major disaster for the Internet. As it is, months
after patches were made available a
high percentage of DNS servers still are vulnerable
. If it were
impossible to patch, attackers could go after high-profile recursive servers at
prominent ISPs and nobody would be able to trust anything on the Internet
The only responsible way to move is forward, and
the only forward path is through DNSSEC. Put it on your radar if you take your
users' security seriously.
Security Center Editor Larry
has worked in and written about the computer industry since
1983. For insights on security coverage around the Web,
take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap