Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Inventor Tackles Flaw

Posted by ScuttleMonkey on from the always-evolving dept.

nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."

101 comments

  1. Hmm... by tripdizzle · · Score: 4, Insightful

    but was intended for additional security measures to be added to it later

    Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

    --
    "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    1. Re:Hmm... by incripshin · · Score: 2, Funny

      Perhaps they could have enforced 32-bit public key encryption?

    2. Re:Hmm... by gnick · · Score: 4, Insightful

      but was intended for additional security measures to be added to it later

      Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

      Well, yeah. Here's the first instance I know of:

      Carl: Hey, I just figured out that by attaching a piece of slate and some handles to this thing I call the "wheel", I can haul around deer carcasses much more easily than my previous method of throwing them over my shoulder and crawling. I call this new contraption the "wheelbarrow".

      Lenny: That's great! I think that I'll use it to haul home my fiance after I propose by clubbing her over the head. When I'm moving people around with it, I'll call it a "car". Of course, if anyone wanted to use the "car" for frequent trips or moving multiple people around, they'd have to make significant improvements.

      Homer: Your car sucks. Why in the hell did you design it like this? This thing looks like it was made to haul around deer carcasses, not people! This is obviously an incomplete solution - Why did you show it to us without perfecting it first!?! You're an idiot.

      Preemptive retort to silly overly-critical responses: I agree, it is a deeply flawed analogy. It's primary intent was humor while only lightly relating to the incomplete implementation of the DNS system.

      Cheers.

      --
      He's getting rather old, but he's a good mouse.
    3. Re:Hmm... by Sanat · · Score: 2, Funny

      Thank you for using a car analogy

      --
      And in the end, the love you take is equal to the love you make
    4. Re:Hmm... by MrNaz · · Score: 1

      You win. That is flat out the best car analogy EVER.

      --
      I hate printers.
    5. Re:Hmm... by Anonymous Coward · · Score: 0

      but was intended for additional security measures to be added to it later

      Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

      Yes, yes it is. For example, sometime around 20 A.D. 'God' released Religion 2.0, because of massive user error encountered during the original release.

  2. Re:Wow by Goaway · · Score: 1

    Not just new here, very, very new here.

  3. I tried to RTFA... by dkf · · Score: 5, Funny

    ... but it seems that a DNS attack redirected it to a fluff piece without any useful content.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
    1. Re:I tried to RTFA... by alexandreracine · · Score: 0, Offtopic

      You use DNS? I tought that 216.34.181.45 users where using IP's directly.

      --
      No sig for now.
    2. Re:I tried to RTFA... by hesaigo999ca · · Score: 1

      Actually...it redirected to a page, with a hidden iframe cross scripting to another website, that has malware waiting for you.

    3. Re:I tried to RTFA... by belmolis · · Score: 1

      I didn't find the linked article very informative, but with the help of Google found this very nice explanation of the problem.

    4. Re:I tried to RTFA... by badkarmadayaccount · · Score: 1

      Offtopic?! Mods, can I have what (some of) you are smoking?

      --
      I know tobacco is bad for you, so I smoke weed with crack.
    5. Re:I tried to RTFA... by alexandreracine · · Score: 1

      I guess they did't check that 216.34.181.45 was /.

      --
      No sig for now.
  4. Re:Wow by incripshin · · Score: 1

    You are seeing it. I, also, am.

  5. We'll add security later by Anonymous Coward · · Score: 0

    sounds like something I'd expect from Microsoft. What a horrible plan. We're not in Kansas anymore, Dorothy.

    1. Re:We'll add security later by Hal_Porter · · Score: 5, Informative

      Not really. Back when DNS was invented (1982) pretty much everything connected to the Internet was essentially a trusted machine. Arguably that was almost true until the Morris worm in 1988. Of course you could never truly trust them, but the idea was that if someone did something silly other people would phone them and then they would stop. Essentially it was an anarchy populated by non malicious people.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  6. Law is only way by Eravnrekaree · · Score: 2, Insightful

    Really, the only way to get ISPs to offer secure DNS protocols is to require it by law. Otherwise, its just their nature not to do, to be lazy and ignore it, as they do with IPv6. So mandate it by law I say.

    1. Re:Law is only way by tripdizzle · · Score: 1

      You always have the option to boycott that ISP, but if you live somewhere like I do, you only have one broadband option.

      --
      "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    2. Re:Law is only way by howdoesth · · Score: 5, Funny

      You always have the option to boycott that ISP, but if you live somewhere like I do, you only have one broadband option.

      I see you're using the sense of "always" that means "occasionally" or even "very rarely."

    3. Re:Law is only way by mmell · · Score: 2, Informative

      That's right - let the Governments of the world fix the internet by legislation; after all, we all know how well the government understands the tubes of the intarweb. Perhaps Al Gore could be tapped to spearhead this incredibly important piece of legislation.

    4. Re:Law is only way by tripdizzle · · Score: 4, Funny

      Not really, you do not need the internet to survive, its a luxury.

      --
      "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    5. Re:Law is only way by someone300 · · Score: 1

      I don't need it to survive as such, but internet access is pretty much a job requirement when working in my field, so I need it to buy food. :D.

    6. Re:Law is only way by Cerberus7 · · Score: 4, Insightful

      True enough, but the Almighty Invisible Hand of the Free Market isn't taking care of this, either.

      --
      I don't know about you, but my servers run on the power of cotton candy and happy thoughts. -Anonymous Coward
    7. Re:Law is only way by chelsel · · Score: 1

      you don't need electricity to survive either, but I wouldn't want to be without it.

    8. Re:Law is only way by spydabyte · · Score: 1

      Tell that to a corporation or small business. For their "survival" they need the internet. Now if you're talking about human survival.... we're all in America right? /sarcasm

    9. Re:Law is only way by ObsessiveMathsFreak · · Score: 1

      Just like central heating, electricity, piped water supplies, and your car.

      --
      May the Maths Be with you!
    10. Re:Law is only way by tripdizzle · · Score: 1

      Businesses have much more of a choice than just some person. Businesses in my area have many different choices, but if you are a residential, its either Comcast or dial-up.

      --
      "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    11. Re:Law is only way by Skapare · · Score: 1

      That's why we also need competition in internet access services. And I don't mean just a 2nd provider. We need enough providers to be sure at least one will be innovative in a technology way (not just innovative in a marketing way). We need enough providers to be sure at least one will do things right. I believe that means we need at least 6 such providers. Unfortunately, that is not a practical number of infrastructure overbuilds. So we need some kind of shared, neutral, "last mile" facility that all providers can use. And that should be individual fiber all the way from the central office to the home (or business).

      --
      now we need to go OSS in diesel cars
    12. Re:Law is only way by spydabyte · · Score: 1

      The internet appears to have issues with laws.

      As seemingly does the rest of society.

      My point is that just because there's a law, doesn't mean it's followed or enforced. My solution is to just release enough security threats (redirects in this case) that people are simply forced to switch. In basic terms, money is the only reason why people change. Take the American government, for my obligatory Obama plug. /zing!

    13. Re:Law is only way by gnick · · Score: 1

      Boycott is still an option, just a very inconvenient one due to your life choices. If your ISP options were bad enough, you could change careers or move. Those are major adjustments to (I assume) minor grievances, so I suspect that you'll do neither. There are only a few things that can't be boycotted if the situation is dire enough.

      Don't like your ISP options? Sign off the Internet when at home or move.
      Think music costs too much? Stick to free music services or limit yourself to your current collection.
      Think gas costs too much? Use less - Move, change jobs, or change transportation methods if necessary.
      Pissed off about everything? Move to Montana with a .22 for shooting rabbits, self-fertilize your garden, and buy a typewriter to draft your manifesto.

      People often misdefine "boycott" as "switch to another brand" when "give the industry the bird and do without" is a perfectly good alternative. It's too often the case that, even though we're willing to pony up for the services we use because they're so damned convenient, we feel exploited and treating luxuries as necessities is the only way to rationalize our frustrating spending habits.

      I'm as guilty as most - I often pay more than I feel is fair just because reducing use is inconvenient. But, I neither steal nor whine needlessly about my choices as long as an alternative is available to me that I could use to express my discontent.

      --
      He's getting rather old, but he's a good mouse.
    14. Re:Law is only way by Anonymous Coward · · Score: 0

      Well, not exactly like that.

      More like tv or radio.

    15. Re:Law is only way by Sanat · · Score: 2, Funny

      "Take the American government"

      Fixed it for you

      Take the American government please.

      --
      And in the end, the love you take is equal to the love you make
    16. Re:Law is only way by MrNaz · · Score: 1

      Yea, at the moment it's too busy bitch-slapping greedy bankers.

      --
      I hate printers.
    17. Re:Law is only way by zippthorne · · Score: 2, Informative

      It's trying to, but something is protecting the bankers.

      --
      Can you be Even More Awesome?!
    18. Re:Law is only way by zacronos · · Score: 1

      I telecommute, you insensitive clod!

    19. Re:Law is only way by jabithew · · Score: 1

      Free markets work well as long as there is a free market. Since no ISPs are fixing this, or IPv6, and most customers wouldn't understand the problem, there is no demand and hence no market, let alone a free one.

      This does not mean that legislation is the right answer; the government may mandate a poor solution. Unfortunately it will only be when this becomes a high-profile security risk that demand will rise.

      --
      All intents and purposes. Not intensive purposes.
    20. Re:Law is only way by lysergic.acid · · Score: 1

      but a boycott is a group tactic, not a personal tactic. boycotting is basically a form of economic coercion, but economics being a social science requires that you take group behaviors into account. so if it's too impractical to boycott a particular business, then it's basically impossible to boycott them since not enough people will engage in the boycott to really make it work.

      broadband internet access is essentially a service with inelastic demand. to make things worse, communications networks (telecoms/cellphone carriers, ISPs, etc.) are natural monopolies. these two things combined make ISPs pretty much immune to consumer boycotts. in this situation, the only recourse that consumers have is to exercise their democratic prerogative and organize politically. government regulations are specifically designed for these situations where public interest cannot be protected by any other means.

      of course most Americans have accepted their political disenfranchisement, and the idea that the government is actually an extension of citizenry there to carry out the will of the people has become too alien to most to even consider. this gives industry lobbies the power to advance their corporate interests unopposed and push for deregulation.

      though it is a little promising that some communities are bucking this trend and taking things into their own hands. as more and more people start seeing wireless broadband as a basic public utility, they will start pushing their municipal governments to establish a public WiFi or WiMax network for their city independent of commercial ISPs. i mean, if ISPs can't be regulated and won't regulate themselves, then the only option left is to provide your own publicly-run alternative.

    21. Re:Law is only way by tripdizzle · · Score: 1

      So if your internet at home went down, would you wither up and die?? Or just a little inside?

      --
      "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    22. Re:Law is only way by Anonymous Coward · · Score: 0

      >So we need some kind of shared, neutral, "last mile" facility that all providers can use. And that should be individual fiber all the way from the central office to the home (or business).

      Enjoy paying an ungodly amount of money to get this.
      Dedicated lines are essentially this.

    23. Re:Law is only way by megamerican · · Score: 2, Informative

      The free market can not exist in environments where the government gives special monopolies to a few companies. The only real competition in this market is for these companies to protect their monopolies.

      John D. Rockefeller said, "Competition is a sin."

      A great muckraking book on this topic is Confessions of a Monopolist, written in 1903.

      This kind of thing has been going on ever since the Supreme Court brazenly declared that a corporation has the same rights as a natural person.

      --
      If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
    24. Re:Law is only way by Yvanhoe · · Score: 1

      Was the flaw not swiftly patched in a few days after its discovery in most ISPs worldwide ? No law could have achieved that but the idea that some ISPs could get attacks by not acting while other would be immune to it is a tremendous incentive to act in a free market.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    25. Re:Law is only way by Anonymous Coward · · Score: 0

      Sure it is. Secure64 has a secure platform that automates DNSSEC completely. .gov is having to be signed next year. A lot of the ccTLDs are signed or wanting to be signed. The problem is the manual steps for DNSSEC. Once it can be automated, it will be implemented.

      How many CEO's know there's a problem with DNS in the first place?

    26. Re:Law is only way by Medievalist · · Score: 1

      Tell that to a corporation or small business. For their "survival" they need the internet. Now if you're talking about human survival.... we're all in America right? /sarcasm

      Many of the corporations and small businesses in my area are surviving just fine without paying a monthly fee in order to decrease employee productivity.

      It's really hard to start a new business without advertising & web pages, though. You'd have to actually offer a higher quality product or service directly to customers which, of course, is not something these kids today are capable of comprehending./sarcasm

    27. Re:Law is only way by zacronos · · Score: 4, Insightful

      So if your internet at home went down, would you wither up and die?? Or just a little inside?

      No, but considering the fact that I live over 1,500 miles from the office where I work, it is not merely a luxury that I telecommute. If I can't have broadband Internet, I'll need to quit my job and find another, convince my wife to quit her job and sell our house during the housing market slump so we can move (either somewhere I *can* have broadband Internet, or somewhere within driving distance of my company's office), or leave my wife behind so I can move. I can't simply boycott the only broadband ISP in my area on a whim, as you suggest -- it is a much, much bigger issue for me.

      You're creating the false dichotomy that everything which is not necessary to survive is a luxury. I agree that I do not strictly need broadband Internet to survive, but disagree that the Internet is a luxury, for me at least. Perhaps you would have no problem boycotting utility companies if you felt they were doing something irresponsible, since after all electricity, water, natural gas, etc are not necessary for survival (and in fact many people in the world do not have these things), but most people in the US would argue that they are more than luxuries. Maybe you are lucky enough to have well or cistern water, and live in a climate where winter heating isn't necessary for survival, or perhaps you have a wood-burning stove/fireplace that could heat your house if you don't have electricity or natural gas -- but that doesn't mean that they are luxuries for everyone, irrespective of the circumstances of that person's life.

      Those are more extreme examples, but the fact is that my life is currently based around having broadband at home, and although I could do without it (just as I could do without electricity, natural gas, and city water), I would need to make very large changes to my life to do so.

    28. Re:Law is only way by tripdizzle · · Score: 1

      I didn't read everything you bothered to type, but you could always find another job. As a response to the rest about your option to boycott if feel you are not receiving the service you are paying for, read gnick's post above.

      --
      "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    29. Re:Law is only way by zacronos · · Score: 1

      I didn't read everything you bothered to type, but you could always find another job.

      Yes, I said that myself at the beginning of the second sentence of my comment. (Perhaps you should actually read what I typed before assuming you know what point I'm trying to make.) Do you really think it should be worthwhile for me to quit my job just because there are no broadband ISPs that offer secure DNS where I live?

    30. Re:Law is only way by mrsbrisby · · Score: 1

      As an ISP, I'd happily implement a secure DNS protocol if there were one - right now the closest thing is DNSCurve, but it seems that the asshats that created the problem- are prone to continue promoting a "solution" that requires more powerful hardware, puts servers and clients at a greater risk for denial-of-service attacks, and frankly doesn't work.

      DNSCurve seems very attractive, but would require cooperation from the root servers- some of which have a vested interest in promoting the unworkable and broken-by-design DNSSec protocols.

      Meanwhile, DNSSec, in addition to requiring cooperation from the root servers, also requires that every firewall; every dns client and server, and every dns-inspecting or dns-aware device get rewritten- or potentially rewritten because DNSSec is incompatible with DNS.

      The people dragging their heels here are the BIND group. They want to promote a buggy and broken solution just like they always do simply because it's their solution.

    31. Re:Law is only way by tripdizzle · · Score: 1

      No, it wouldn't be worthwhile to me, or maybe to even you, but the option is always there.

      --
      "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    32. Re:Law is only way by Anonymous Coward · · Score: 0

      No, my ISP had not patched even weeks after the announcement. They did eventually, but I was using OpenDNS for a while to avoid their servers.

    33. Re:Law is only way by Anonymous Coward · · Score: 1, Interesting

      I disagree. IPv6 would eliminate all of the complications with NAT and generally make the act of adding content to internet instead of simply consuming content significantly easier. The issue is too technical for a random user to understand it, but it would make their lives easier.

    34. Re:Law is only way by Anonymous Coward · · Score: 0

      What the fuck is wrong with you??

      Get out. Now.

    35. Re:Law is only way by madbavarian · · Score: 1

      Who cares what ISP's do? If anyone cared they could run their own dns server and get all the protection they wanted. The problem is the lard-asses running the top-level domains. All but a very small handful refuse to sign the zones they are entrusted with. If you want to pass a law to light a fire under someone, that is the group of operators you need to target.

    36. Re:Law is only way by Nefarious+Wheel · · Score: 1

      So if your internet at home went down, would you wither up and die?? Or just a little inside?

      No, but considering the fact that I live over 1,500 miles from the office where I work, it is not merely a luxury that I telecommute. If I can't have broadband Internet, I'll need to quit my job and...

      It's interesting to note throughout the advance of civilisation the passage of things from the category of luxuries to the category of necessities. This is not an attutudinal shift, but a real one. To entertain further, the idea of "getting back to basics" such as hunting your own food (a good idea in certain rural areas, not so good in Chicago) turns out to be more of a luxury than a necessity, in an inversion of the trend. It's often seen that people confuse the two categories (these people are often identifiable by their red flannel shirts and funny hats) much to the delight of critics and Democrats.

      --
      Do not mock my vision of impractical footwear
    37. Re:Law is only way by nobaloney · · Score: 1

      Nevertheless you do have the option to use (for example) OpenDNS, and keep the same ISP. On one level it won't be as satisfying as a boycott, but it should be satisfying on some level to be able to work around your ISPs insecure DNS, and you'll have resolved the real problem.

    38. Re:Law is only way by badkarmadayaccount · · Score: 1

      What bullets should I use? /intenet-addict

      --
      I know tobacco is bad for you, so I smoke weed with crack.
  7. Mockapetris by Detritus · · Score: 4, Interesting

    Mockapetris wrote a nice book on the ideas behind the domain naming system, which is sadly long out of print. One statement that he made has always stuck in my mind, "names are not routes are not addresses". Keeping those things distinct and well-defined avoids many problems.

    --
    Mea navis aericumbens anguillis abundat
    1. Re:Mockapetris by Anonymous Coward · · Score: 0

      FYI, his SIGCOMM '88 paper ("Development of the Domain Name System") is available here.

  8. ledit too by centauratlas · · Score: 1

    Maybe we can ledit it too.

  9. Hm, that and DNSsec sucks ass by Nicolas+MONNET · · Score: 3, Informative

    Look at the history of DNSsec; the specs have been done and redone several times over, there is no consensus, and it looks like it would be a bitch to admin.

    1. Re:Hm, that and DNSsec sucks ass by Ed+Avis · · Score: 4, Interesting

      Can someone explain what is the point of DNSsec? An https website already has its own certificate which authenticates you are talking with the right person, and https is designed to be secure without trusting DNS. If DNSsec had been widely implemented twenty years ago then secure protocols might have evolved in a different direction, but given where we are now, what problem does DNSsec solve?

      Similarly if you use ssh then the server authenticates to you with its own keypair. You don't need to trust that DNS gives the right answer.

      Is DNSsec just to stop denial of service attacks on the DNS infrastructure and trivial hijacking of insecure protocols like telnet and http?

      --
      -- Ed Avis ed@membled.com
    2. Re:Hm, that and DNSsec sucks ass by Charlotte · · Score: 5, Interesting

      Can someone explain what is the point of DNSsec? An https website already has its own certificate

      DNS is a naming service, but it was never designed to be a trustworthy naming service. If it was, then DNS spoofing would have been impossible. Another reason why, currently, SSL certificates are needed is IP address spoofing. But if your certificate is embedded in a DNS entry then there is no reason for anyone to need a third-party-signed certificate at all. All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities.

      So if we fix DNS then we can skip SSL root CAs entirely and just go with DNS. But SSL certs are a lucrative business, which is why Verisign et. al. don't want DNS to be fixed. It would be the end of their best cash cow. But fixing it is necessary for the internet to become a truly trustworthy place of business.

      The article, BTW, strikes me as odd. Isn't it Paul Vixie who has been campaigning for DNSSEC for ages now? He isn't even mentioned.

    3. Re:Hm, that and DNSsec sucks ass by bnjf · · Score: 2, Insightful

      http://dnscurve.org/index.html

      DJB's take on it, although it's gone quiet...

    4. Re:Hm, that and DNSsec sucks ass by mrsbrisby · · Score: 1

      DNSSec protects against a kind of attack that doesn't exist and never happens, by making attacks that do happen (like denial-of-service) easier to mount.

      DNSCurve, a younger, competing protocol protects against most of the attacks DNSSec is designed to, and even protects against some denial-of-service attacks.

      However, the other part of your question, about is SSL sufficient, the answer is no . It demonstrates nicely why a security extension needs to be one we can roll out quickly so that we can start blocking invalid requests, instead of just complaining about them.

      DNSSec provides no benefit until some magic date in the future where we stop using DNS and start using DNSSec. Meanwhile, DNSCurve provides some benefit as soon as the root servers offer it.

    5. Re:Hm, that and DNSsec sucks ass by discogravy · · Score: 1

      DNSSEC is not an https replacement, nor a replacement for ssl keys. Many services that require DNS resolution (and that the resolution be good,) do not happen over https or ssh (it often comes as a surprise to some people that the internet is not the web, but ping or smtp are two prominent examples that often use DNS; calling http trivial doesn't actually make it so, and http is vulnerable still.) That https/ssl can secure the communication between you and a webserver is not of much use if the cert has been faked -- see http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attacks/ if you're curious as to how this can be taken advantage of (and even if you're a paranoid nut using Tor, how often are you checking that SSL certs are good?)

      --
      FreeBSD for the impatient.
    6. Re:Hm, that and DNSsec sucks ass by Anonymous Coward · · Score: 0

      Look at the history of DNSsec; the specs have been done and redone several times over, there is no consensus, and it looks like it would be a bitch to admin.

      Hey smart guy, the RFCs are 4033, 4034, and 4035... that constitutes consensus. Also, why don't you try admin'ing one (like I do) before you say it's a bitch (i.e. get a clue).

    7. Re:Hm, that and DNSsec sucks ass by Lost+Race · · Score: 1

      How does DNSSEC protect against SSL MitM attacks? Would there be secure DNS records for SSL keys/signatures? Doesn't DNSSEC itself need a CA? Anyway, there will be plenty of SSL CA business for many years during the gradual transition to DNSSEC.

    8. Re:Hm, that and DNSsec sucks ass by Anonymous Coward · · Score: 0

      There is a third option to DNS and certificate authorities: the web of trust. Web of trust mimics how people gain trust in real life and is less vulnerable to undetected compromise. Do you REALLY trust the certificate authority in every case?

    9. Re:Hm, that and DNSsec sucks ass by mysidia · · Score: 1

      The problem with DNSSEC is that the RFC was created without operational experience.

      The standard may be implementable, but it's a gargantuan mess that sites can't be convinced to implement. It is too complicated to easily and reliably implement in new DNS server software.

      We need a SIMPLE, INCREMENTAL update to the DNS service to add security. That ALL flavors of DNS server can easily implement

      A proof of concept should be implemented and tested as widely as possible BEFORE an RFC is even written.

      When did such complex RFCs as DNSSEC start getting spewed out, before the experiment was even widely implemented??

    10. Re:Hm, that and DNSsec sucks ass by mysidia · · Score: 1

      No it doesn't. It reflects what the RFC Editor has been caused to publish.

      Just because it's published as RFC doesn't mean it's a consensus that the spec is a good one, or that implementing it will be a good idea.

      The wide implementation should come before drafting any complex RFCs, otherwise the RFC may turn out to be worthless.

    11. Re:Hm, that and DNSsec sucks ass by rs79 · · Score: 1

      It's a weird article. I'm not exactly certain what information was actually conveyed or what Paul Mockapetris was actually saying and I know Paul. (scratches head).

      Poeple need to adopt DNSSEC. Yeah ok, whatever. A few poeple think this is giving too much power to verisign (again) and Dan Bernstein has other ideas and isn't fond of DNSSEC.

      http://cr.yp.to/djbdns/forgery.html

      "All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities."

      Well, but...

      The "root servers" isn't one thing. It's 13 things. And the F server is actually a number of machines. Any one that gets compromised blows it for everything.

      Another reason to run your own root zone, obtained from somebody who cryptographically signed it. Bernstein points out usenet would be a good mechanism for this.

      --
      Need Mercedes parts ?
    12. Re:Hm, that and DNSsec sucks ass by jhutkd · · Score: 1

      Wrong... RFC's go through lengthy comment periods as drafts and though there are none that get 100% support, their purpose is to serve as specifications so people know how to implement protocols (for example).

      DNSSEC had been widely implemented, tested, argued over for about 10 years before the final RFCs... Check it out... >10 years

      Know your history dude.

    13. Re:Hm, that and DNSsec sucks ass by mysidia · · Score: 1

      RFC issuance no longer means there is a consensus. DNSSEC may even be proof of this.

      Comment periods may be lengthy, but the audience is small, and a limited proportion of the interested parties.

      My primary objection to DNSSEC, and a reason I probably wouldn't entertain the concept of implementing it is it actually compromises security.

      For example: I have some records in my zone that are obscure and private. I do not allow third party zone transfers (except from certain trusted hosts on a local subnet)

      If I were to hide these secret records from a signed zone, the secret DNS hostnames could not be authenticated.

      If I were to reveal them publicly in a signed zone, they would be authenticated, but the essential secrecy would also be compromised.

      There are thousands of other sites that also have and want secret DNS records. The number is sufficient to prevent there from being a consensus that DNSSEC is a good answer.

      There is a faction of sysadmins and DNS implementors that believes DNSSEC is a good answer, there is a large faction of sysadmins and DNS implementors that completely reject DNSSEC.

      Therefore DNSSEC is not a consensus, and is an utter failure as a standardization effort.

  10. Old News? by iSzabo · · Score: 1

    I'm sorry to be the one to say it but there's nothing new here. RIPE implemented DNSSEC a little while ago (albeit not thoroughly) and there's an article here about the US getting DNSSEC.

  11. DNSsec by Ex-Linux-Fanboy · · Score: 2, Interesting

    DNSsec, obviously, is the solution. The problem is the same problem with IPv6: The old way of doing things are so entrenched that it's very hard to make the transition. The other problem is that we're still trying to figure out how to do it correctly; the last time I looked over the specs, DNSsec allowed you to have it so the signing machine didn't have to be online, made it difficult to forge NXDOMAINs ("This host does not exist" DNS messages), but made it trivial to list all of the hosts in a given domain. As a implementer of a somewhat obscure Open-source DNS server, from where I stand I don't like DNSsec, mainly because it's a pain to implement (Don't even get me started on the mess that is the BIND zonefile format; there's a reason DJB was too lazy to implement BIND zonefiles at all). But, yes, considering the number of programs that actually trust a DNS packet (web browsers, cough cough), we need to make these packets secure. - Sam

    1. Re:DNSsec by Anonymous Coward · · Score: 0

      You should look at the specs again. RFC 5155 has introduced NSEC3 records, which solve the zone enumeration problem inherent with the original NSEC record spec.

    2. Re:DNSsec by Anonymous Coward · · Score: 0

      The secure denial of existence that you're talking about is provided by NSEC records. The issue you're talking about is called NSEC-walking. There actually is an RFC (5155) for something called NSEC3, and NSD already supports it. This make NSEC-walking impossible.

    3. Re:DNSsec by Russ+Nelson · · Score: 2, Informative

      It's not a question of DJB being too lazy to implement BIND zonefiles. It's more a question that BIND zonefiles must die because they're astoundingly difficult to parse, and even if they weren't, they're prone to user edit failures. Ever forgotten a dot at the end of a name? I haven't -- not since switching to djbdns.

      --
      Don't piss off The Angry Economist
  12. Malicious links are a serious problem nowadays by Anonymous Coward · · Score: 2, Funny

    Ihope someone takes steps to deal with this. Imagine if every link someone posted had to be regarded with suspicion. It would be the end of the internet

    1. Re:Malicious links are a serious problem nowadays by Anonymous Coward · · Score: 1, Funny

      Hey how did you get a list of my bookmarks?

  13. Re:Wow by MrNaz · · Score: 1

    If a typo amazes him, I think he's not only new to Slashdot, but new to the Internet. Actually, he's probably new to typing. Next he's going to tell us about some amazing new developments in a town called Gutenberg.

    --
    I hate printers.
  14. No need to fix this problem by damn_registrars · · Score: 3, Insightful

    ICANN is going to start selling new gTLDs that will turn the current DNS system into arbitrary mish-mash anyways. Just wait until we start seeing links to .cheapdrugs domains, and we try to find the DNS info for that.

    Then we'll find ourselves longing for the current DNS problem.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:No need to fix this problem by mysidia · · Score: 1

      I propose a new spec: it's called the no new GTLDs rule. Henceforth, from Nov 10, 2008, there shall be no new GTLD or special GTLDs.

      That is, the list of the current GTLDs in place should be hardwired to all DNS resolver software, as a list of TLDs.

      Upon presentation of a TLD not in the hardwired list, all DNS resolvers shall indicate failure with a return code of NXDOMAIN.

      Do you think the DNS related RFCs could be revised to codify this special rule?

  15. Digital Signatures = Duct Tape by Anonymous Coward · · Score: 0

    Digital signatures are the duct tape of IT, they fix everything!

  16. Re:Wow by gomiam · · Score: 2, Informative

    A town? I think Gutenberg was a person.

  17. I repaired a small technical error or two. by Medievalist · · Score: 1

    An https website already has its own certificate which authenticates you are talking to some random entity who paid a tithe to Verisign, and https is designed to be a cash cow for certificate authorities regardless of their competence, reliability or trustworthiness.

    Fixed that for ya.

  18. I know I see it!! by Huggs · · Score: 1

    Yea... Mock-a-TETRIS! It's an outrage! How could they so blatantly deface the name of one of the greatest video games of all times?! I'm bringing this straight to Nintendo! Alexy Pajitnov must be pissed.

  19. Yellow Pages! by Anonymous Coward · · Score: 0

    NIS! For the Internet! Yes!

  20. Kaminsky DID NOT invent this attack, he refined it by Anonymous Coward · · Score: 0

    Kaminsky found a way to make this attack very efficient. In fact, in 1990 Steve Bellovin wrote about the details of this vulnerability, and published it in the USENIX Security in 1995 ("Using the Domain Name System for System Break-ins").

    So, to be clear, this was a new variation on an old theme. It was (and is) a big deal, but it was NOT invented by Dan Kaminsky.

  21. Re:Wow by soliptic · · Score: 1

    I think Gutenberg was a person.

    Yeah, he was in those Police Academy movies, right?

  22. Not enough value in DNSSEC by Russ+Nelson · · Score: 2, Interesting

    There's not enough value in implementing DNSSEC. That is, of course, why you're proposing a law. Laws are needed to get people to do things that are irrational.

    --
    Don't piss off The Angry Economist
  23. DNS 2.0 by rs79 · · Score: 1

    What he said. I mean really. If anybody still thinks BIND zonefiles are a good idea they should bloody well be forced to write a program that parses them and good luck.

    (Oh, btw, hi russ)

    I realize there's an obligate duty for an car analogy here, but, so sorry. *

    You'll have to settle for instruction sets. BIND files are now commonly bigger than most old programs, so what you have to write to get what you want to happen is important. BIND is like an old clunky assembler with bizarre and arcane properties. IBM 1130 or 360 maybe. DJB is like the pdp-11, it's elegant and simple. It's a joy, not a pain.

    I don't mind writing software that outputs BIND files but I'm not sure it's even computationally possible to parse one of those pigs. They were never meant to do that, DJB was desifgned that way.

    BIND was handy until the number of bugs went asymptotic, but it really should die now.

    * not sorry

    --
    Need Mercedes parts ?
  24. DNSCurve has a good adoptation path by Anonymous Coward · · Score: 0

    DNScurve does not require a top-down approach. With a resolver library/DNS server (or resolving cache, or forwarding nameserver) that is DNScurve-aware the benefits are immediate and automatically gained, anytime two DNScurve-aware servers meet.

    A poisoned root issuing malicious NS records could still spoil that, but the farther up the tree the harder the attack -- so "leaf" security shouldn't be discarded out off hand.

    1. Re:DNSCurve has a good adoptation path by mrsbrisby · · Score: 1

      I don't disagree. I'd like to start implementing DNSCurve immediately.

  25. I'm too busy admin'ing DNS over avian career by Nicolas+MONNET · · Score: 1

    You appear to be slightly confused as to what RFCs are.