Slashdot Mirror
Securing DNS From The Roots Up
jeffy124 writes: "This article at ComputerWorld tells the story of how ICANN would like to replace the root DNS systems with secured servers. Lars-Johan Liman, one of the root operators, spoke about the concept at ICANN's annual meeting today. He discussed how the world's current redundant DNS system is vulnerable to DDOS attacks and yet-to-be-discovered root holes in bind that can ultimately undermine the entire Internet by taking away the name-IP mappings that are relied upon by just about everyone."
...then malicious intruders will just go after the core routers, saturate lines, do things of that nature. Not that locking down DNS is a bad thing, but you can't defend everything all the time.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Does it strike anyone else as a bad thing that all of the root nameservers, and for that matter almost all important nameservers, run BIND? Ergo, a serious security bug can be used to take out all of the root nameservers.
We need another DNS server that has the (relative) standard compliance and scalability so that we could have some other server software running on some of the root servers. Unfortunately, all of the alternatives I know of don't scale to that volume of transactions, aren't nearly as proven as BIND, and many of them have standards compliance issues worse than BIND.
There seem to be some pretty big problems in how the whole DNS system works in the first place; for a system with a fairly high degree of built-in redundancy, I've often found websites where ONE of their DNS servers has gone down, and I can't access the site. The other DNS somehow isn't queried, other caching DNS servers along the chain aren't queried, and it fails. The IP address I'm looking for is, in theory, sitting in a thousand caches all over the net, but it's not fetched? The loss of Microsoft's DNS a few months back is a good (although not particularly worrying) example.
Then again, maybe I don't notice the times it DOES work like it's supposed to.
-"I still believe in revolution; I just don't capitalize it anymore." - srini!
Don't get me wrong. It's a great system, it's worked for a very long time, it does it's basic job admirably. My single main issues with it are it's centralization, and increasing politicization.
.info proves.
I've given this a little thought over the years. There's a few fundamental issues with the centralized DNS system.
I've tried kicking around a few replacements ideas, like a peer-to-peer exchange system carrying certificates that act a little like resource search records.
The FreeNet project actually gives a good model for how to distribute and search for these 'domain certificates'.
I'd like to see a system that you essentially 'anonymously' submit namespace entries to. Conflicts are resolved based on context. If a dozen people want "money.domain", fine. If you try to browse to it without any context, you have to choose which one you want based on other information in the certificates (full name, location, nickname etc) and once you've chosen, that context sticks. URL's would need to be extended to also carry this context, which probably need to be a cryptographic signature to prevent abuse.
It constantly amazes me that people are willing to pay $50 to 'own' a record in a database. The domain land grab was just stupid... in virtual space, you can always just make more land. As
DNS will obviously persist for decades, (simply because of the financial and general mindspace investment in 'dots') but hopefully as only one of a plethora of address resolution systems. Name resolution needs to be a pool, not a tree.
"For as long as the DNS system exists, the Internet will never be free" - Morpheus, while very Drunk
Jeremy Lee | Orinoco
You can't do zone transfers using djbdns for one thing. DJB thinks that zone transfers are evil, and has his own method for doing the task (rsync over ssh I believe), but whether they're evil or not is beside the point. Like it or not, zone transfers are a part of the core DNS protocols and any proper successor to BIND must implement them all. Starting a standards war with the IETF is not something I want to have along with a name server I deploy. Let Bernstein write an RFC for publication describing his idiosyncratic methods and get the IETF to ratify it as a core standard if he wants, if he truly thinks his way is the better way. The way he operates reminds me more of the way Microsoft handles standards than anything else.
Besides, djbdns is also deficient in a far more important way (for me and to a lot of people here on Slashdot anyhow, I hope): it's actually proprietary software with a limited license for gratis use. It's not Free Software or even Open Source, not by any reasonable definition of the term. There is no license along with his programs, and absent a license you have NO RIGHT to share, study, or change Bernstein's code!
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Yes, I know the answer is that's the way it's always been done, and it was fine for few thousand university and government hosts, but isn't it time to obsolesce the whole centralized hierarchy of name resolution?
At the very least, name server caches could be peered among ISPs.
At the most extreme, how about devolving name resolution out to the very edges of the net to end user's pcs? Doesn''t every PC have a HOSTS file already? Clay Shirky described ICQ as the first program to do an end run around the DNS...what are IM programs besides alternate name resolution systems with messaging features tacked on? (And doesn't that perspective give a frightening new aspect to Hailstorm/My Services/Passport/MSN Messenger?)
So why shouldn't end users be swapping resolution data across with their instant messages? Why shouldn't websites be passing resolution data directly to site visitors who then pass? Especially in the case of weblogs?
Yes, I realize that you don't want ecommerce site lookups hijacked by fraudulent resolution data...so there would be a market for a secure resolution service that would behave just like the DNS with Added Security Flavor.
The best sort of data security is lots of backups.
The maximum uptime I have got for a Linux box is only four months. Screw uptimes - the only way you get uptimes that big is if you haven't upgraded your system and you're leaving it with gapping holes. All those from your top ten lists have regular holes and updates. Not installing them to retain uptime isn't something to be proud of and it's not a measure of an OS.
Your comment was worth reading and is better than the others earlier in the thread (djbdns is trying to make cash on people's misunderstanding - and especially goes against the "open source" thing)
I'm not sure if most people posting to this and other articles understands why dns is the way it is.
The whole businsess about the "security" flaws are two fold:
1. people don't patch their servers because they don't stay on top of things.
2. most dns servers are not locked down properly (especially those of you using at&t's, worldcom's and other large telco's dns') against zone transfers which allow hackers to find out what you've got.
DNS is a distributed database with a small lookup latency - this is very different than oracle, ldap and other structures. DNS is redundant and is designed to have broken branches (goes back to America's cold war days - even though bind is not that old!). The network, the data, and redundancy IS segment - have you every noticed that the root servers never came down - even for a massive virus - most dns outages come from your local ISP's caching dns, which could be running and old version of bind (single threaded mess).