Feds Tighten DNS Security On .Gov

alphadogg writes "When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency. That's because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption."

Just what they want you to think

[Punko]

"you can be confident that every U.S. government Web page is being served up by the appropriate agency."

The easiest way entrap a victim is to promote a feeling of security.

Nothing says 'rob me blind' than 'trust us'.

Re:Just what they want you to think

[PainMeds]

Nothing says 'rob me blind' than 'trust us'.

Which is why this originated from the IRS.

Re:Just what they want you to think

[noidentity]

On a similar note,

When you file your taxes online, you want to be sure that the Web site you visit -- www.irs.gov -- is operated by the Internal Revenue Service and not a scam artist

Wait, those are two different things?

Re:Just what they want you to think

The IRS is not a scam artist... it is a protection racket.

And generally, yeah, you want to make sure you pay the right guy in a protection racket.

Re:Just what they want you to think

[jonaskoelker]

"you can be confident that every U.S. government Web page is being served up by the appropriate agency."

The easiest way entrap a victim is to promote a feeling of security.

I would venture a guess: any visitor to *.gov who doesn't know what a packet is (i.e. at least 95% of the public) will already feel secure. Also, since the difference between secure DNS and insecure DNS will be absolutely invisible to them (presumably), they won't feel any more or less secure now. Or they won't know what the difference between the green padlock and the yellow padlock is. At any mention of the secure DNS in the press, these 95% of visitors will have forgotten about it the next day [just as I might].

Bottom line: no one who doesn't deal with computers either professionally or as a hobby will notice. Their feeling of security will be unaffected.

Glad they fixed that

Now I can be sure I'm giving the IRS my money and not some other scam artist. I mean, not some scam artist. (:

Spam Can Bypass God

[mfh]

Yes, but with this handy +4 magic marker, spammers can bypass the multi-trillion dollar infrastructure and pwn your inbox.

How About They..

[neoform]

They really need to crack down more on sites like this one: http://www.usagc.org/ while they're at it.

WIN A FREE GREEN CARD! SIGN UP NOW FREE!*

* $100 entry fee.

Good for opportunistic encryption

[Matt+Perry]

If my memory is correct, DNSSEC is one of the prerequisites for making opportunistic encryption easier to deploy widely. I hope this catches on and becomes more widespread.

Now if only...

[InvisblePinkUnicorn]

Now, if only we could be confident about exactly where our taxes are going...

How useful is DNSSEC w/o top-level signed?

[jamie]

I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. If I understood it right, the main attack DNSSEC is intended to prevent is a man-in-the-middle returning a fake response to your computer's (or your ISP's computer's) DNS query, a fake that it accepts in place of the real response.

If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov, at least as far as your ISP knew.

Anyone know how plausible that attack remains? Knowledgeable responses welcome :)

Of course, part of getting DNSSEC set up for the whole internet is seeing how well it plays out in real-world testing, and .gov is the logical place to start. I assume once any kinks are discovered from this rollout, we'll be one step closer to enabling it on the root servers, which will allow any TLD to achieve a real security gain.

Re:How useful is DNSSEC w/o top-level signed?

[jonaskoelker]

I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. [...] If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov.

That would be my exact understanding as well.

The details are these: Every node in the DNS tree has a key pair. Everybody knows the public key of the root. Every response to a request contains an answer, and a signature on that answer. As an additional request, you can ask for public keys too.

So, here's the scenario for going to whitehouse.gov, assuming full deployment of DNSSEC:

1. Ask root for whitehouse.gov
2. Receive IP of nameserver for .gov [check its signature]. Root may opt to give you the public key of .gov, otherwise ask for it and its check signature.
3. Ask .gov for whitehouse.gov
4. Receive IP of whitehouse.gov [check sig]. Also, .gov may opt to give you the public key of whitehouse.gov
5. Connect, now you know where to go :)

This secures step 4. Step 2 is still not secured. Paul Vixie has given some good talks on DNSSEC and everything else that's wrong with the interwebs ;) See http://www.usenix.org/events/lisa05/tech/mp3/vixie.mp3. You may also like http://media.defcon.org/dc-13/audio/2005_Defcon_V7-Paul_Vixie-The_Internets_March_of_Folly.mp3.

Re:How useful is DNSSEC w/o top-level signed?

[Dolda2000]

I shan't call myself too knowledgeable about DNSSEC, but as far as I've understood it, it should be perfectly secure as long as the client systems have the .gov TLD's public key installed as an anchor of trust. Which they currently don't, of course, but that's another issue.

Re:How useful is DNSSEC w/o top-level signed?

[mpeg4codec]

If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov, at least as far as your ISP knew.

Anyone know how plausible that attack remains? Knowledgeable responses welcome :)

First, to answer your question regarding the plausibility: there are a few scenarios in which it is possible. The most likely scenario is that you're on the same local network as an attacker so that he/she can intercept your DNS traffic and forge replies. This might be the case when you're using the wireless provided at a coffee shop, for instance. There exist automated tools to make this simple, and I would consider this the biggest vector of attack. The only other case I can think of is that an attacker has control of a router between you and the root servers. While this is technically possible, I would personally regard it as fairly infeasible for the average attacker. If you're in $THIRD_WORLD_COUNTRY and the mob controls internet access, you might have something to worry about.

I'm involved with a project called SecSpider that monitors the deployment of DNSSEC. We use a distributed network of pollers around the world to collect RRsets from all known DNSSEC-enabled zones. One of the reasons we use pollers from different locations is to detect attacks such as either of the two listed above, more likely the latter. If any attack were to occur, we stand the best chance of detecting it. We have been monitoring since 2005 and have yet to see such an attack.

An additional benefit of collecting all these RRsets is that we have what we call a "world-wide perspective" on DNSKEYs. Whenever we collect a set of DNSKEY RRsets from a zone, if the set is consistent across pollers, we add it to our DLV repository. A DLV (DNSSEC lookaside validation) resource record is very similar to a DS (delegation signer) record. It contains a cryptographic hash of the DNSKEYs served by a zone so that the zone's integrity can be checked. However, instead of being served by the zone's parent, it can be served by anyone.

The typical way in which a resolver detects if a zone is secure is by tracing a secure delegation from the root. Instead of the typical manner of starting at the root and querying recursively for NS records, the resolver queries for both NS and DS records. Then when it queries one of the nameservers listed in the NS records, it asks for the DNSKEYs and verifies them using the DS record. In this way, it is possible to build a chain of trust that leads all the way back to the root nameservers.

Unfortunately, without the root being signed, this process will not work. One alternative is to configure your resolver to query for DLV records to bootstrap the process. When your resolver queries a zone for DNSKEY RRs, it will also query the DLV repository for a DLV recording matching that zone. It will then attempt to cryptographically verify the DNSKEYs using that record. If it verifies, you know that someone you trust thinks your DNSKEYs are right, side-stepping the typical chain of trust (thus the name: "lookaside"). If you were to configure your resolver to use our repository, you would be able to verify if the DNSKEYs you receive are the same as the DNSKEYs being seen by all of our pollers around the world. Not perfect security, but definitely an improvement on the current situation.

If you're interested in the details of our project, you can check out our web site or ask me for more details. We have information on how to use our repository in our FAQ.

You mention the notion of real-world testing of DNSSEC. It's worth noting that there are actually several TLDs that are currently signed (mostly ccTLDs), as well as a large number of second-level domains. gov is hardly the first, but it should definitely be the highest-profile rollout to date. We're currently waiting with bated breath to see the outcome.

SSL, anyone?

[SanityInAnarchy]

What does DNSSEC buy me if I use https?

And if irs.gov isn't supporting https, wouldn't that be the place to start, rather than DNSSEC?

Scam

[Arthur+B.]

www.irs.gov â" is operated by the Internal Revenue Service and not a scam artist

www.irs.gov is operated by a scam artist

There, fix that for you.

I wish they had thought of that

[Chrisq]

Before I took up their cash-in hand job offer to deliver a package to their embassy in Islamabad. I've started to wonder whether the ticking really is an alarm clock. ;-)

A bar decides to have a contest about ...

who can squeeze every last drop of juice out of a lemon. So, the local strong guys line up and try....

The first guy, a big burly construction guy give it a try and squeezes the lemon so that nothing comes out.

A big body builder guy walks up and squeezes some more drops out but then nothing.

Another big guy shows up and nothing. Just as the bartender was about to announce a winner, a small, bespectacled fellow wearing a business suit walks up and says in a mousy voice, "Let me try."

Laughter ensues around the bar and they hand him the lemon. He squeezes and out pours more juice and he's declared the winner. The body builder asks, "How did you do that ?!?"

The little guy answers, "I work for the IRS."

Re:IRS vs. Scam Artists?

[psmears]

Yes it can—comme ça!

(you need to use HTML character entities: "comme ça". Slashdot only supports some—a fairly arbitrary subset—of these.)

HOORAY. This is a GOOD THING.

[dwheeler]

This won't solve all the problems of the universe, but this is a GOOD THING. Securing DNS is absolutely critical to making the Internet a safer place. If I type in "irs.gov", I want to go to "irs.gov", not some spam site, and this helps me get there. DNSSEC can provide IP addresses with a strong guarantee that the IP addresses are actually correct. DNSSEC can even provide other keys, and make it possible to EASILY send secure emails without having to do a key exchange ahead-of-time. See, for example: http://www.dwheeler.com/essays/easy-email-sec.html

Not so fast!

[duplo1]

My understanding is that unless DNSSEC is implemented in the last mile resolvers (e.g. my ISP), it doesn't buy a whole lot, especially when it comes to preventing cache poisoning attacks. Moreover, according to RFC4035, delegation records and glue records aren't subject to public key verification (i.e. not signed), so DNSSEC could still be vulnerable. Until DNSSEC is pushed out to the end user to the point that are browsers are performing signature verification, I don't think it's going to buy us the security we're looking for. Even then, with PKI being notoriously difficult to implement, I'm sure it will be botched and somebody will find ways to poison public key registries with fake public keys, etc.

This can deal with the Chicken-and-egg problem

[dwheeler]

You're quite right, it's perfectly secure if the client systems have the .gov TLD public key. And almost no one does, today. Of course, no one will bother trying to get DNSSEC or these keys until there's something to verify.

This is a classic chicken-and-egg problem. The good news is that the U.S. government _CAN_ require that its OWN sites implement DNSSEC - and once that's done, people who deal with those sites (most U.S. citizens) will have a reason to install DNSSEC and the relevant .gov keys.

What will probably happen is that there will be a Firefox plug-in (if there isn't already) that supplies these keys, and slowly browsers will add support for all this. The result: Accessing these sites will become more secure, over time. Good thing.

Re:This can deal with the Chicken-and-egg problem

[Lennie]

yes, there is one:

http://www.nlnetlabs.nl/dnssec/drill_extension.html

Re:Banks?

[Chyeld]

Why? Don't we have enough laws that attempt to legislate technology? Yes it's a desirable technology, but do we really need to be chained to it with a law that two decades from now will solely be an obstacle to implementing the next new desirable technology?

Banks and other businesses will move to it once they see a good business case in doing so. Let that decide matters.

Please understand, I'm not a laissez faire sort of fellow most of the time. But if you have the government start trying to decide how the core mechanics of the internet work, and I guareentee you whatever small benefit you gain from the initial decision will be drowned out by the stagnation that results later on.

Why this is a bad example

[OpenYourEyes]

Ignoring if DNSSEC is good or not, this is a pretty bad example of why to do this. Nobody goes to irs.gov to file their taxes. Instead, they go to a third-party (like Quicken, as just one example) who will file their taxes with the IRS. This was part of a deal worked out many years ago - in exchange for the IRS not providing its own e-file solutions, the third-party companies would have to provide free online e-filing (but would still, of course, be able to sell their own software to do the same thing).

Re:Banks?

[AnyoneEB]

He is giving an example an attacker getting access to his debit card and the bank taking no liability for it. You are free to complain about him whining because you think he should be the one liable not the bank (that is a different, irrelevant argument), but the topic of discussion is that the bank customer is liable not the bank. This means the bank has no incentive to improve their security. In fact, better security probably costs more -- at least the cost of paying someone to figure out how to fix problems with their current procedures -- so they have a direct financial incentive to keep the security at the current status quo. Although, if the other banks improve, competition may force them to make changes.