Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IAB Chair Defends DNSSEC

Posted by ScuttleMonkey on from the chickens-and-eggs dept.

bednarz writes "Olaf Kolkman, the new chair of the Internet Architecture Board, says that DNSSEC — an approach to authenticating DNS traffic that has been slow to take off — is not a failure. 'It is taking a while to percolate into software, and for that software to percolate into the market, and for people to adapt their environments to deploy and operate DNSSEC. The deployment is hindered by a chicken-and-egg problem'."

4 of 49 comments (clear)

  1. So let me get this straight... by X-treme-LLama · · Score: 4, Insightful

    Development and implementation, has been slow or nonexistent across the board.. But that doesn't mean it is a failure..

    No, ok, I'll grant him that.. But sometimes no matter how useful (or perhaps good) an idea is, it just doesn't happen. Sorry mate..

    In the interview he says that it's a bit of a "chicken and the egg" problem, yet while he lists a few minor adopters who have it somewhat deployed, he has no concrete solution to the problem..

    Any type of dns security, or verification is certainly interesting, and probably beneficial, but DNS is 25-30 years old, and still works, there just isn't a compelling reason to augment it for most people who deal with keeping DNS servers running...

    --
    My rantings, only longer and with better spelling..
  2. Personal motivation? by choongiri · · Score: 4, Funny

    My personal motivation to work in this space is that I want to allow my now 3- and 6-year old children to make use of the Internet based on the same core principles as I now know them.

    You really want your 3- and 6-year olds to inherit the spam-ridden porn-fest we have today? That's just mean. Think of the children!

    1. Re:Personal motivation? by LighterShadeOfBlack · · Score: 5, Funny

      You really want your 3- and 6-year olds to inherit the spam-ridden porn-fest we have today? That's just mean. Think of the children! I'm with you on the spam part, but I'll defend this porn-fest til the day I die!
      --
      Spelling mistakes, grammatical errors, and stupid comments are intentional.
  3. Bernstein rips DNSSEC a new a-hole by Anonymous Coward · · Score: 4, Informative
    D. J. Bernstein
    Internet publication
    djbdns DNS forgery I've given a few talks on ``The DNS security mess'': 2003.02.11 (slides available). 2003.03.18 (slides available). 2004.04.28 (slides available). An attacker with access to your network can easily forge responses to your computer's DNS requests. He can steal your outgoing mail, for example, and intercept your ``secure'' web transactions.

    If you're running a DNS server, an attacker with access to your network can easily forge responses from that DNS server to other people. He can steal your incoming mail, for example, and replace your web pages.

    An attacker from anywhere on the Internet, without access to the client network and without access to the server network, can also forge responses, although not so easily. In particular, he has to guess the query time, the DNS ID (16 bits), and the DNS query port (15-16 bits). The dnscache program uses a cryptographic generator for the ID and query port to make them extremely difficult to predict. However,

    • an attacker who makes a few billion random guesses is likely to succeed at least once;
    • tens of millions of guesses are adequate with a colliding attack;
    • against BIND, a hundred thousand guesses are adequate, because BIND keeps using the same port for every query; and
    • against old versions of BIND, a thousand guesses are adequate with a colliding attack.

    As of November 2002, CERT is panicking because they didn't realize how trivial this was, even though I spelled it out in a posting in July 2001.

    Larger cookies in the DNS protocol could make blind attacks practically impossible. (Caches could achieve a similar effect without protocol changes by repeating queries a bunch of times with different ports and IDs, at the expense of speed and reliability.) However, attackers with access to the network would still be able to forge DNS responses. Public-key signature systems Modern cryptography offers a tool to prevent forgeries: a public-key signature system. In short:

    • You create and publish a key.
    • You---and, if the system is secure, nobody but you---can sign a document under that key.
    • Anyone can verify that the document was signed under your key.

    The signature is a complicated mathematical function of the document and the key. DNSSEC: theory and practice DNSSEC is a project to have a central company, Network Solutions, sign all the .com DNS records. Here's the idea, proposed in 1993:

    • Network Solutions creates and publishes a key.
    • Each *.com creates a key and signs its own DNS records. Yahoo, for example, creates a key and signs the yahoo.com DNS records under that key.
    • Network Solutions signs each *.com key. Yahoo, for example, gives its key to Network Solutions through some secure channel, and Network Solutions signs a document identifying that key as the yahoo.com key.
    • Computers around the Internet are given the Network Solutions key, and begin rejecting DNS records that aren't accompanied by the appropriate signatures.

    However, as of November 2002, Network Solutions simply isn't doing this. There is no Network Solutions key. There are no Network Solutions *.com signatures. There is no secure channel---in fact, no mechanism at all---for Network Solutions to collect *.com keys in the first place.

    Even worse, the DNSSEC protocol is still undergoing massive changes. As Paul Vixie wrote on 2002.11.21:

    We are still doing basic research on what kind of data model will work for dns security. After three or four times of