Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity
    • Networking

    DNS Vulnerability Crisis Brings DNSSEC To Forefront Again

    Written by

    Larry Seltzer
    Published July 26, 2008
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Before we go anywhere else with this, if you haven’t yet patched your DNS servers against the DNS spoofing bug revealed earlier this month, you’ve made a big mistake. Drop everything, cancel your vacation and patch it now. The news and blogosphere are full of advisories, such as this one from Microsoft, warning of the DNS equivalent of earthquakes and tidal waves if you don’t patch. They’re not exaggerating. An attacker could poison your DNS cache, making queries for one site go to another under their control. It’s a really bad situation.

      Doesn’t it kill you that problems like this can crop up all we can do is to install potentially disruptive software patches? It’s not right, there should be a systemic solution for critical infrastructure like DNS. And there is. It’s called DNSSEC.

      DNSSEC is a standard for authenticated DNS, where DNS zone data is digitally signed and clients can check public keys against it to verify that the data in a reply actually came from the domain it claims to be from. Late in 2007 I wrote about how DNSSEC is not all that it was cracked up to be and, in any event, will never be widely implemented because of political problems. But it does have its advocates, many of them in important positions in standards bodies, and it does have some arguments in its favor. For example, it should, in principle, defeat all cache poisoning attacks. This is not nothing.

      ICANN took the opportunity, given all the attention focused on what could turn out to be a severe crisis in the DNS, to issue a document reiterating their positions on and status of deployment of DNSSEC, especially with respect to signing the root zone. They’ve got a point about the security relevance of DNSSEC to the current crisis, but they gloss over all of the problems that I talked about in my previous column.

      The ICANN paper focuses on the arguments in favor of DNSSEC, including backward compatibility, meaning that DNSSEC servers can also serve old-fashioned unsecured DNS. It also discusses all that ICANN and IETF organizations like the IAB have done to implement what they can of DNSSEC into the public DNS. Several top-level domains have already been signed (.SE for Sweden, .BR for Brazil, .BG for Bulgaria and .PR for Puerto Rico) and several others are preparing to do so (.ORG. .UK. .CZ for Czech Republic and .GOV). There is even a signed testbed implementation of the root zone built by ICANN for testing with signed TLDs.

      The paper also discusses several moves ICANN is making, some in cooperation with the IANA and IAB, which it says will require the consent of the US Department of Commerce. For instance, signing the .ARPA zone and, of course, signing the root zone. .ARPA is an infrastructure zone used for certain technical purposes, such as looking up other addresses. A blog in CircleID by Patrik F???ltstr??ém (a senior engineer at Cisco) takes issue with some of these claims. I don’t know who is right on the legal stuff, but it all goes to show what a hopeless mess the whole DNSSEC situation is. I think even if all the relevant governing bodies-ICANN, the IAB, the IANA, even the DOC-were to agree on signing the root zone, it still wouldn’t happen. And if it did, there’s plenty of reason to believe it wouldn’t be widely followed by major DNS resolvers.

      It’s hard enough to get the DNS community to stop using ancient versions of BIND with lots more vulnerabilities than the new one just revealed. Many organizations undoubtedly have old DNS servers running that they don’t even remember they have. And we’re not even talking yet about all the old, unsupported embedded devices that act as resolvers. Imagine implementing a new DNS standard that not only requires upgrading all that software, but probably upgrading the hardware too. Maybe our children will see it happen.

      But in the meantime, we do have a bad situation on our hands. So patch now. Unless you’re using OS X Server, in which case your operating system vendor has not yet issued a patched version of the DNS server. Oops.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack

      Larry Seltzer
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement— He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.