Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


It's Time to Sign the Root Zone Already



 By: Larry Seltzer
2008-12-01
Article Rating:starstarstarstarstar / 10


There are 5 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The DNS remains broken and vulnerable. The urgency of the problem has increased greatly this year and DNSSEC "dweebs" are pleading for signing the root zone.

DNS experts have known for a long time that the system is another of those old designed back in an era when we didn't think too hard about security, if we thought about it at all. Like most of those protocols. DNS is too embedded in existing computers and software to displace easily, and proposed fixes are going nowhere.

A recent ICANN blog explains in fairly simple language why the DNS is broken. It's worth reviewing if you're not already familiar with the issues.

An example of the "cache poisoning" attack potential for DNS was revealed this summer in a bug in almost all DNS servers found by researcher Dan Kaminsky of IOActive. Kaminsky and others showed a remarkable discipline and coordination in contacting DNS software authors to arrange for coordinated patch release.

But researchers were quick to realize that the fix wasn't a fix for all cache poisoning attacks. More will follow and there may be one some day that will not be easily patched. What do we do? As a practical matter, the DNS is vital to almost every application on the Internet.

Resource Library:

As the ICANN blog says, there isn't really a way to fix the conventional DNS. The answer is to move to DNSSEC, a system which uses public key encryption to provide authentication of DNS records for clients. DNSSEC is not new; the original work on it is about 10 years old. But deployment of it is quite sparse, and limited by the fact that, to be truly effective, the whole of the DNS hierarchy up to the root servers need to be digitally signed. Right now the root is not signed; nor are many significant top-level domains, including .com.

The signing of the root has been held up by the usual lethargy with which significant ICANN actions and changes to Internet infrastructure are done. These things always take many years, preceded by committees to study how the problem should be addressed, committees to decide on who the relevant interest groups are and, finally, committees to discuss the actual problem. The signing issue has been complicated by the fact that it's not really ICANN's decision to make: changes to the root zone must be authorized by the U.S. government, and specifically by the NTIA (National Telecommunications and Information Administration) of the Department of Commerce. Here's their DNSSEC page.

The signing issue has been complicated by some politics in that it involves the last vestiges of authority of the U.S. government over the Internet. 10 years ago ICANN was created to take the government out of more direct authority (which it ran through contracts with universities and companies like Network Solutions; click here for a good story about how that worked out, but it retained control over changes to the root zone, including signing the root. Recently the NTIA solicited input on how signing of the root should proceed; their DNSSEC page includes that solicitation and the reactions of many parties, including ICANN's.

In the past I've been pretty skeptical of the prospects for DNSSEC to achieve success, and my arguments still have some merit. It's not hard to see political infighting delaying the signing, or shaping it into a political compromise which would impede its effectiveness and trust in it. On top of that there are just the technical inertia problems: like any other big change on the Internet, many will ignore DNSSEC as long as they have more pressing problems on their plate competing for budget dollars.

I'm seeing a consensus emerging among DNS experts that, in the wake of the Kaminsky bug, the signing of the root is more clearly an urgent issue and that acceptable ways to do it are also fairly clear. The root zone is now administered by the IANA (Internet Assigned Numbers Authority), a department within ICANN. IANA has some other ominous responsibilities, such as parceling out IP address and AS number blocks. Their work is occasionally controversial, such as in how IP and AS numbers are allocated to different parts of the world; the Wikipedia IANA page states (without any attribution) that the relationships between ICANN, IANA and other bodies in these administration tasks are highly political and controversial. But I think that generally they are viewed as a dispassionate and apolitical engineering organization.

It doesn't bother me if ICANN and the IANA contract out the actual signing of the root to a company like VeriSign, as they currently do with many root zone operations. VeriSign should enjoy no unique access or other advantage from this relationship, but I'm sure that's well understood. VeriSign has significant experience in working with the root zone and it makes sense to take advantage of that.

Much of my skepticism may have confused a vision of an all-DNSSEC Internet with one where users and services can provide DNSSEC properly and interact with others. The former is, as things stand now, pie in the sky, akin to a vision of all Americans tossing their SUVs for hybrids or fuel cell vehicles. You can imagine it as a technical matter, but economics, politics and human behavior say it's just not going to happen.

Be that as it may, there's no good excuse for ignoring a problem we know to be serious and not seeking progress with the only solution at hand. Failing to make the DNSSEC infrastructure complete is telling people that they cannot secure themselves, and represents failure on the part of decision makers.

Lastly, allowing some trusted agency, probably the IANA, to sign the root zone, does not represent a loss of authority for the US government as custodian of the root zone. Rather it strengthens that authority by showing that the government is taking reasonable measures to secure the root zone and the rest of the DNS.

A bug like the Kaminsky bug that did not have a practical solution would be a major disaster for the Internet. As it is, months after patches were made available a high percentage of DNS servers still are vulnerable. If it were impossible to patch, attackers could go after high-profile recursive servers at prominent ISPs and nobody would be able to trust anything on the Internet anymore.

The only responsible way to move is forward, and the only forward path is through DNSSEC. Put it on your radar if you take your users' security seriously.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

 



  Reader Comments: It's Time to Sign the Root Zone Already
>>> Post your comment now!
Signing the root is a BAD idea
I suggest you read my NTIA comments carefully: http://www.ntia.doc.gov/DNS/comments/comment027.pdf Executive Summary: I advise against...
Posted At: 12-08-08
By: Dean Anderson
Huh?
I don't think you're right about this. Vista and 2008 seem to me to have full support. Even XP came with a stack, although I never ran it.
Posted At: 12-03-08
By: Larry Seltzer
A user comment on this article
Not sure about Linux, but Windows support for DNSSEC is still minimal, even in Server 2008. Seems they don't expect to fully support it until...
Posted At: 12-03-08
By: Rich D.
A user comment on this article
Perhaps the switch to DNSSEC should be mandated in a similar fashion to the HD switch. DNSSEC sounds ready for prime time, so pick a switchover date...
Posted At: 12-03-08
By: Rich D
What's Your Sign?
Hi, I'm Larry Seltzer. Have you done anything to move forward with DNSSEC on your company's network?
Posted At: 12-01-08
By: Larry Seltzer
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r8qռFsvg]mGJɖkcY^K7SDH"$e[3g_u^<.KƳ_M@ht7F?{{~$riH1f%yt;{D{{?|oQ/w\!jYT}F[Ȯd ׭Gx6b)?;mnvd .pѰ Qm/5xWü#?h%#@I.b(ӇcQ;#(D>ϱL-: ۗ<7*ރ,}8ݑi/G$$ J<5ϛb;zVq;L Z&QV7[pj9:dF`VFmhhnHyBJI7;j94E;r Kx1O]ӣH0}В^8rrlt򓩥qm\_]7; m\7gH>߉ekby 1=|Jg3Dz3[-:n7O7zCפuܑܽţJf Ȱo0O<Ӡ?kp, ߱f\S;CkG7۫hzxxf5n_"d>L,.̻Jp-uAhJ@u& H)5?*1gUal&XJp;є6`qK0TA0{YtFMɺN}%N !F\r'ӌ `Q%U '!8Q$Ju}3pKjgɇfiY(%YWb wÞ\zcgZuN:WNZNS35ލ`X.B2iI1.ps۫ZxE 3_>CAPU 8ʕ/;6n!S[ö@ S& :gս?y h v1~PÜM*}ݶc_GstDAG6R^lzK$ 47P}HKaI $7Xxп] c_g)H_{ | v*z tn95@%GAMϛLu%08{ ɝ 5zYP+wCR_@b!LDE=PC>u'}QH{|`MA=9nZzߴ@c@\jЇ)Kd˕N ]M CRS$CMPԤv9BB !L0 V(f䎄ЋB> lBa ! gBᡐG=7 >*%qRSٜ(,%1M&ńHVFNH!tP@W)Z&5SN`3%&ql9an5ډI!VBg'9oU 2g8$lreRńy`OE܏a5=%nQ7=ؙPԽǠ3ՂZ)z٦ll.>S-D֒e]X]ۼ/ 7B@4 ur2$@HQٖk ,:+}: K_iHH*6@ڜ[1,C %C/Љ0Z?piwϱ=|qŶf9UV]F&,-s9\aUsV@d@7h` DolVCbx5ZXst~o퓏6(*||S txJiX$ M-=t&.Hɸ:q,?XľΧ 8[5LM^\v/-]֤|vh .(p$'jL?phZ/R3:pm#bhȏE}T5B<D ȸla,Ca9ڴ*3t,˹OG Zfdݞ6MK-i|@ @Mv>uW3pPR@BN:Nt#受^̣nӨ`kn 5|o` 2l3q&/zt|pE% i4)J1F ` L] {Twcyv3$ u`m\ 0H#0/`k Z@/ /PH(KX!°tаթ6-4.&X4ma?"!t`C]ܴ6?fCU^ٯb"R9+"lUP:ΫR 7+(f^v[ oJǞ3cyt<}N=ӨԌsg_mUMwK\sf>%N-¢nj,ۨhXeH]Mۏ͎@'eCPc!=gk)(2H35satߛYx dEM\CN@lW19Mo0pW;RC8{ΣeO.#c˂t!MUmXݚ `d1=jDa#GMLESzڬwԻEvۗԴ)R+d::JЯ9צNf+sJ$ X 4h { *.*rNeW֬YWb/cDH!c#ҧ>Z q[k0hu;w OVr)XU!bW hĞfe]3EtY sCꓰ%g8tMG(Fi(Yk|;` 4fȍ>~7NGդ_:z}E ϣ{jZ!409DW.<u8WX[@aMɧ|X(±FpaNpgDΦr&"7m>S1ѺMmlS~Jq39"nLxP-'F& jEv N1\vrØqvb1gP"H@:eĹ'3W&IT=[yTUG5iH1m29 =EjЊvc\^qTYf)re8e1 Se3*勥"}[7)sJY-@~ ti:ruc`Ei\khit#򑤏]NJ\Du~#75\+%&~͓!zN#'%{hK' K=_lXC=BS6ŭQh]A#f̚ÒfGS4.▨q$: 5ef*ݐU :,irNRO“0Ӂ:t{@Fl~<ڲtDh2)dnS==׵.5>?YWW7gtć)R1iymP*fܓJLÀ>Z|E2/_x0bQ)KW K| j!cc?`C Mqm oT;e2컯$DDK!tM+T2Ll\e\&]~>A++oc@/IC.P;;l4@Ϣh.}f{~Drۧ>k_vZy0q3n{vm/319o4?w8\>kr 4 m*5/1UOu٪}h0.[,4Jj2i&A*$R$]3~Ԧ籵WzyAeXoonpy# sGxG"'npZKli}͏eC:m_;j܉jG, Y#tB^4j Ǎ5vpc^ac;f쐶C 徴kN,8;XS! m-۪1>٠8Fhv~[Qx~WX* 5̀ńBARN(@R`OH[%#EKx$;)38^k]Ih !h:Ua _XJH!)$zeSVok( 6k;Fዢٿ\^ $~1y,~y<~_dxH %'BY3ࠇg2IgҾ8 $Ey"S`ف _.s3$i! R7^?$Eɪڟ@7GdlCJ T5‹6zӖ'>sfx!u -(hq%ќ|̧(oBٺCKk m}[[MxA2%ɩÃ! =)!JښI8'"8J542 eI? U4㓈PV IWɂtj#dž5>ܻԹ8T/i>\7")=&0Gv\& Ґ qm.@1R޲';$!ŤYGJ^K`VKuVN4@8-N`.O zgtϏ%m_'\z@ O$ ۑqD42T`iX'3XV2ahbrх[dnϦZU%3m]'رD}0&hl4g@ \:`N1cn ^UJU2ל8{JnL<<3U7e*3`]YE|Eg%>棏3M!6lwI۸&/s+#AI.#Q Vy_>TdwH7O9!gM[i:jEYl FcONI}i^ul'xZw[qh*A%sC<,L?G'c: I"IVU.yYdU)IYG C8zxH_7Z@Ɍ7Kf-Kg#}}!F.72/s1dxB%?Wgp w. z keD*]s"P#vދRQʧ{irГE mB}޿Vȿ5LĴp|g4TwɁko ?'Ⱦ}԰؉Ǔyxyc,dz_ae=|50[ɰ=Dƙ ad<J6wkVpN Ov!"%JJLal@|Րٲh]Z0q aj}Z/p8|+؊wfχGɎ?eMv s2q p/9ۯmZR|  \B՞ MWɼ2.m>ZQc%Fe?Zc{ϗqG' 4˼g.oKm9+bT ?1#ew,ZUsFM{_}n% It8)" O;E 1Uu@Ex#֘9F2r qxد> b A!@j.N 1%m$5m\ Ƌ2 گX;J! @$oTE+3`1OuXt9rFG4'S׹.Ht|+4(O^hɚ.kWJd {1kC6JfΎn҄\{l4M'GdHNsve,=z[JH}M`Nm @_TC8AWAgTU } ;RY!Ӫ6T¸ TTwgNAg9qsÃc%& Et2O,3 FL;+}œ2Zr;n:}|)`x4X@xJH^4xrQZȟ׶ O;avBc|xXR q?0rڥ[2~|gGq6{뚤N_рoph10Cc'u NQL1WXq}/)!jiXJ{iҩ>/xBH̅8k;Ia@-6,{y-X "Ԋxqu E-۞J*y#-?c@3񊓎zDlzR\ڕf#/RKdKcݲ 8)nHj./i)bKz4@,np "os5%@ؽ՝,_ిʱz$U!^>,#"pt ~Ii&9E'@e $&0I!!L`>j{$j8LT]t'+KJIҶK" 脅3t Qd@ r!#M}ΦU7ٕ@%gvÉt5=.C O p@RBuȮHcߕʒmKHg'&j3Ktcc9;BI-*b 9 pD#qxP`aǞWw˿DUى q)?0O zG <2y]DҵW{R]죕ҳoQԥ}HxǬ1͙K|.RH'!x'x@?.ryLHzbO*RM˭P6cf/_c/BWk:JHYJĽ0zQw;g+MJW9'gb6|>¢ڒ0$A{#}c9ԓ1T} [޳YYhԙLgK&FE Ix0hk4O< +ODy=,PnuKJȽ0%;3_ mtPok.I ݨHO` c9 xRyV.%e=x[ Wn3SF xꮘBF(Ǣ̎EcAC1z<6M-̻"qW=5եvXTF{LƸi y~H]V6 Hu-ǧrLylH ݛsn^> 3ȓxwtEukPjAb)W,֌)}Y0.ׄ' Ėl&ubr߯g 3+e#S+dZCWc" qؘ-U e^ V}0? =EEEEE?â[XtԖn65sp{.HN' =UP%%,;rE׫^c7w6U7f֖Ҩl[g̣dKq'a^Y8nkzR]6́阶 b6qn|5rG$(H=!÷ z:^^X"¦taE)l AY/8r]ݢyٍS(J3J59[q4t lglAp W3ҏ~\ o_ =**ҥs:SWisa%+#{tnmR^bjtl.},z۾^ĸqz֖N/e@ Y' W6mV̸ j ѧ}gm:n\.\wutጜS ;vM z+lyY؋>[&:Sݲ^PjBxHVGizfx́FPDƈ5PgU\ N^eNyn&$5m hX `|J0l -c s0JZ%*|S<^{uĹKqަm,Z^K/vY\yfb ~Dӷ' ¬k–Q3 Ʊ+yWg0IX0̬L} efs6 JpCDʉh =٩z`{I;17 $UXK޹.Yڥm.6e`C>a >㕮{ 4&e§ErjT7>k ţkΤhg!?16?BL^Tt !uJ艠N PAftvD S;GTUT0k G~ um|{%o?n&c,4!^xɜLׇ{;ɯ0f&`Je4DC&_źP>oF Kvˍr٭8? A Z3ʑu~9ѩ}m⊓8[=Kp$e :@a;D0*dXT/!Wg`*Dz+^xg^"Fǹp9a׈0-C'Ġ$FiA h!Fve׏{Kb+JVu{F$kF+rj9ƼBҥb9>"G¿ R$+p=oAE& :pHFPxNIތ󃍑94:MEfNi7T1OCu5b;]C-4tAj-bIALc2ķ>SaMTA9-0)j/- HXPZ<[o1 3tVS#6Vr="z0Ӫac=,*bm3\MpA\R9w|%!_Εs唂Z,ҳoLH+Y-kJI+UP]:eEsv("Z#+2G|z`XACu &ڣ{zznoysb ݵt kPс%s~d|-?(vBA!f7|=Sz1߽ZۭkObc > ^P#$ mM(}2RF;RvuܦB3>Н_$3B;uȃY=ϗ==EO[XYrRf xfZ-j)V${0 ,2; ކQg]ɹn붩t h@$):N<#bV̯R_ CϊQF[Q{Ra4U!TP9).;zZ#Zqp-%5B=5 o-QcDU<11t+OjNTM֏0Y]XC3^o[Wp+$W|Vwn@kl1Ҟp+qܐZiЈ_}BG7./ } Lrt`wG79X:P[٣+b8z'6w_ 6bVJga.G(5=A&aX4D&3 ُ0˯;DN9!,y|tZZ&U}H~Kl1Cib#3" v|P\GMּ Em\w2>(jP^Houڎ܉..ns4 Cb_¼" 2q ,a1;gorS ;嘭#+ENH .T7/;ʡ`e >i?*ejVtKҌ 2@s8םnrhc-i`Ik0'lx D=s,n#B L`+JTu^+iOgq/@]Z (D[4gþHW. }VtQY\#RQ60%lyі51دLl I=zh؊rm9 g9^Lˢ9%"uyԢ_ӭuAKe>T2%U.p4SNq%FԼT[rHISҿBהkH^~ZJ!]^)駐~> s) ?O?ofzڬC)CL2%LiNҿO)aRƧo[i?>[)l'eJ/?CsH?OI-%魔t˔LK˔kC)oiȟ6ȗv|J+(R:~:NJ;NJ@>ק ҡS97~{B7PMJ7@7)$)eZ ծpz ys^TORPyVK˳CHOgESVv a{b.S{JN _ yuڮBR+ +]a%>1Mk[JR}ח: e|*,XW&egbV>cˬ,= >7槸Jxո]@&ٻWe[M'lik|(s3gg=U2̑_dO[PЫʝǒ{Ьagn]!=fD~s)sҷje*m f4e C lAprmov5~c{Ax&`j?7<.vpqk;ُ΋kwء ~3O߆rH'8+?<4s)![Иr{֢@ +zzYkyMǯ=heX7~m:Ow+4/kڇh&{_QpWԱMLAņJ/hbKZ=},PN;=6rg/}bqqgQ%DԌ; P]FZ=*Ȟ{J=C鿙6%]Hqb<ӧ}*Ձ7ҧHτ[TI׿#S%/uLt.-IEjד93\;aKƐc DMKI&ɐ` *I4w9$y/z(2!wP{QptHU1S9F߅Vø|aމƍ0\cpa3 î 20WaGCЫntM~'J`d1@k3IPBыpOazB jO],/*k_Um$>=ASh8OWU;gK“JRwrcw]/I)H[AȹX.NwV Xj#$E '߂!kz2GDYk,XoLD L[ |iM.X$">l}'.}NuK"@"x̴uظiLVhHm;)ڵh2-13 <wخ;qVGt#9e5cpúċB~_v{[>/B`9m4`٣|FKo@軺;˔ziK_$%\!dW<lط +"ۂKuJ-ˤ2q¹"UXJٍbh,8.# kdÿNQ w-9!,y6Z ^<:y,E;"fuݍ¦ezxi" 7]Kl C>`]R>FK ]f'[٦2й=-}b/i;:^G,ϱ{ QFbZ]c8NhՆGHǸ׭[t[ Qz: <Ш1XM&v^Ei܄1농D]T[[ &2ʢc 9Oߵc5pݼ"î,ٿvyXhFXgۙBα Ya1 e[y6WK xH>%7mAb;c9)>-Sg:gq/xO18Y ~˲b>L1wMXBLַ 2lt*X<>Ŵ"&D09'eR:0sh{۟Z3TJH6cw|ftD!@íŕ]^g"a?8#/aggyba*'