Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure DNS a Hard Sell

Posted by ScuttleMonkey on from the underdeveloped-ideas dept.

ebresie writes "Computer Business Review Online has an interesting article about the lack of acceptance for Secure DNS." From the article: "Speaking during a workshop on the technology, Keith Schwalm of Good Harbor Consulting, a former US Secret Service agent, said that even the financial sector, traditional security early-adopters, are not rushing DNSsec."

10 of 142 comments (clear)

  1. Nice, but not necessary by ehaggis · · Score: 4, Interesting

    DNS, if configured correctly, works well. Blind zone transfers and poor setup are usual culprits with exploits. A secure(r) DNS would be nice, but I think there are bigger security fish to fry.

    --
    One ring to bind them - should probably have more fiber and less rings in their diet.
    1. Re:Nice, but not necessary by mellon · · Score: 2, Interesting

      Most people can't tell if they are connected using SSL or not. One of the nice things about secure DNS is that if the DNS response is spoofed, it just doesn't come back. So if you have someone spoofing a zone, you don't see answers to the zone, rather than seeing and accepting the wrong answers. This leads to trying to figure out why "the internet isn't working," which leads to the revelation that someone is spoofing DNS, which leads to the problem being corrected.

      To spoof you without secure DNS, all I have to do is present a copy of the real web page that has all the https:/// strings substituted for http:/// - at that point unless you're fairly sophisticated, you're going to wind up sending your info to the spoofer, and you're not going to know that you've been spoofed.

      This is not to say that secure DNS is a panacea, but if it were deployed on a widespread basis, it would solve a number of significant problems.

      By the way, speaking of SSL again, it has no root key rollover. Your root keys are preconfigured in your browser. So if a root key is ever compromised, your browser is going to be vulnerable until such time as you download a new copy, even assuming that the root key compromise is detected. DNS also lacks root key rollover right now, but this is a problem that is being worked on, whereas as far as I can tell in the SSL world, at least on a practical level, it's not.

  2. bigger fear by keithhackworth · · Score: 5, Interesting

    I run my own DNS server at home because I have a bigger fear that my ISP's DNS may be hijacked rather than my bank. It seems like that would be the easiest hole to crack for hackers.

    I would hope that if my bank's DNS servers were hijacked that they would work with me to get any money I lost back. However, if my ISP's DNS servers were hijacked, I don't know that the bank would be as cooperative.

    Keith
    --
    Support bacteria. They're the only culture some people have.
    1. Re:bigger fear by Dolda2000 · · Score: 4, Interesting

      That oughtn't be a great problem, however, since your bank (hopefully?) uses a SSL certificate to ensure you that you are on the right web site. If you click past the SSL warning that says that the certificate doesn't match the domain name when you go to do some on-line banking, you really shouldn't be all too surprised to find all your money gone the next day.

    2. Re:bigger fear by iambarry · · Score: 2, Interesting

      That's why your bank uses HTTPS with a server certificate. They assume that DNS is going to be owned by an attacker.

      The lock in the browser confirms that the site in the URL is the one serving the page.

    3. Re:bigger fear by baadger · · Score: 2, Interesting

      How much hard checking do these CA's really do? The user won't notice if it's a smaller CA as long as the root cert is in their trusted list.

  3. Perhaps better marketing? by Halo- · · Score: 3, Interesting
    I know this is a rather stupid thing to be hung up on, but the referenced link (DNSsec.org) was so visually cluttered and ugly that I couldn't muster the desire to spend much time there.

    Security is always harder to sell than most products, because you are usually trying to convince a customer to spend more time and money for something without out a tangiable return. (If my DNS hasn't been spoofed yet, why pay money? And even if they do secure it, they don't have an easy way to say: "this saved us X dollars this year, and thus was worth the investment")

    Add in an "official" website which is hard to read, and painful on the eyes, and you've got a hard sell indeed. As petty as it sounds, a better web presence might help ease acceptance.

  4. dnssec and nym ala dan by arakis · · Score: 5, Interesting

    Dan is the man in DNS. He pretty much explains why they don't have implementation here:

    http://cr.yp.to/djbdns/forgery.html

    You might not like Dan, but he doesn't get things wrong very often.

    1. Re:dnssec and nym ala dan by mellon · · Score: 2, Interesting

      Bwahahahahahaha!

      I find Dan highly amusing, and would find a world without him a sadder place, but that's an opinion piece, without an iota of basis for any of the assertions he makes.

      The one factoid he presents is the Microsoft ActiveX key spoof, which is indeed interesting. It also isn't addressed by his proposal, so I'm not sure what good it is. As for querying multiple servers to validate a lookup, that's a fun idea, but you still haven't cryptographically authenticated the information, and all it would take to hack this would be to successfully spoof the NS records for the zone, which isn't particularly harder than spoofing the zone itself.

      The reason that reputation-based security works is that you have an active, intelligent participant tracking reputation; even in that case, it works only so well - many of the spoofs we're talking about here actually take advantage of someone's trust in reputation, by convincing the person that they are talking to someone to whom they are not actually talking. The better a critical thinker you are, the better reputation-based security will work for you; the more you know in the moment about the person to whom you are talking, the better it will work for you. Lacking either of these, as is the case with Dan's proposal, you've got nothing but a house of cards.

  5. Re:Redundant by Florian+Weimer · · Score: 2, Interesting

    The problem with SecDNS is that pretty much the same thing is already performed at the SSL level with domain certificates, so there is little argument for changing the DNS system.

    Once you've got a DNSSEC-enabled zone, you can put interesting things into it, like CERT RRs with SSH keys. The advantage is clear: you only pay for the delegation (the domain registration fee), and not for each server certificate individually.

    Apart from the threat to existing CA business models, there are also some unsolved technical problems (cryptographically secured negative answers without providing zone enumeration, for example).