DNS Vulnerability Crisis Brings DNSSEC To Forefront Again

Politics and technical conflicts prevent a systemic solution to DNS security. So patch your DNS servers now! Think of the children!

Before we go anywhere else with this, if you haven't yet patched your DNS servers against the DNS spoofing bug revealed earlier this month, you've made a big mistake. Drop everything, cancel your vacation and patch it now. The news and blogosphere are full of advisories, such as this one from Microsoft, warning of the DNS equivalent of earthquakes and tidal waves if you don't patch. They're not exaggerating. An attacker could poison your DNS cache, making queries for one site go to another under their control. It's a really bad situation.

Doesn't it kill you that problems like this can crop up all we can do is to install potentially disruptive software patches? It's not right, there should be a systemic solution for critical infrastructure like DNS. And there is. It's called DNSSEC.

DNSSEC is a standard for authenticated DNS, where DNS zone data is digitally signed and clients can check public keys against it to verify that the data in a reply actually came from the domain it claims to be from. Late in 2007 I wrote about how DNSSEC is not all that it was cracked up to be and, in any event, will never be widely implemented because of political problems. But it does have its advocates, many of them in important positions in standards bodies, and it does have some arguments in its favor. For example, it should, in principle, defeat all cache poisoning attacks. This is not nothing.

ICANN took the opportunity, given all the attention focused on what could turn out to be a severe crisis in the DNS, to issue a document reiterating their positions on and status of deployment of DNSSEC, especially with respect to signing the root zone. They've got a point about the security relevance of DNSSEC to the current crisis, but they gloss over all of the problems that I talked about in my previous column.

The ICANN paper focuses on the arguments in favor of DNSSEC, including backward compatibility, meaning that DNSSEC servers can also serve old-fashioned unsecured DNS. It also discusses all that ICANN and IETF organizations like the IAB have done to implement what they can of DNSSEC into the public DNS. Several top-level domains have already been signed (.SE for Sweden, .BR for Brazil, .BG for Bulgaria and .PR for Puerto Rico) and several others are preparing to do so (.ORG. .UK. .CZ for Czech Republic and .GOV). There is even a signed testbed implementation of the root zone built by ICANN for testing with signed TLDs.

The paper also discusses several moves ICANN is making, some in cooperation with the IANA and IAB, which it says will require the consent of the US Department of Commerce. For instance, signing the .ARPA zone and, of course, signing the root zone. .ARPA is an infrastructure zone used for certain technical purposes, such as looking up other addresses. A blog in CircleID by Patrik F???ltstr??ém (a senior engineer at Cisco) takes issue with some of these claims. I don't know who is right on the legal stuff, but it all goes to show what a hopeless mess the whole DNSSEC situation is. I think even if all the relevant governing bodies-ICANN, the IAB, the IANA, even the DOC-were to agree on signing the root zone, it still wouldn't happen. And if it did, there's plenty of reason to believe it wouldn't be widely followed by major DNS resolvers.

It's hard enough to get the DNS community to stop using ancient versions of BIND with lots more vulnerabilities than the new one just revealed. Many organizations undoubtedly have old DNS servers running that they don't even remember they have. And we're not even talking yet about all the old, unsupported embedded devices that act as resolvers. Imagine implementing a new DNS standard that not only requires upgrading all that software, but probably upgrading the hardware too. Maybe our children will see it happen.

But in the meantime, we do have a bad situation on our hands. So patch now. Unless you're using OS X Server, in which case your operating system vendor has not yet issued a patched version of the DNS server. Oops.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack