Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Inventor Tackles Flaw

Posted by ScuttleMonkey on from the always-evolving dept.

nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."

7 of 101 comments (clear)

  1. Hmm... by tripdizzle · · Score: 4, Insightful

    but was intended for additional security measures to be added to it later

    Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

    --
    "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
    1. Re:Hmm... by gnick · · Score: 4, Insightful

      but was intended for additional security measures to be added to it later

      Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

      Well, yeah. Here's the first instance I know of:

      Carl: Hey, I just figured out that by attaching a piece of slate and some handles to this thing I call the "wheel", I can haul around deer carcasses much more easily than my previous method of throwing them over my shoulder and crawling. I call this new contraption the "wheelbarrow".

      Lenny: That's great! I think that I'll use it to haul home my fiance after I propose by clubbing her over the head. When I'm moving people around with it, I'll call it a "car". Of course, if anyone wanted to use the "car" for frequent trips or moving multiple people around, they'd have to make significant improvements.

      Homer: Your car sucks. Why in the hell did you design it like this? This thing looks like it was made to haul around deer carcasses, not people! This is obviously an incomplete solution - Why did you show it to us without perfecting it first!?! You're an idiot.

      Preemptive retort to silly overly-critical responses: I agree, it is a deeply flawed analogy. It's primary intent was humor while only lightly relating to the incomplete implementation of the DNS system.

      Cheers.

      --
      He's getting rather old, but he's a good mouse.
  2. Law is only way by Eravnrekaree · · Score: 2, Insightful

    Really, the only way to get ISPs to offer secure DNS protocols is to require it by law. Otherwise, its just their nature not to do, to be lazy and ignore it, as they do with IPv6. So mandate it by law I say.

    1. Re:Law is only way by Cerberus7 · · Score: 4, Insightful

      True enough, but the Almighty Invisible Hand of the Free Market isn't taking care of this, either.

      --
      I don't know about you, but my servers run on the power of cotton candy and happy thoughts. -Anonymous Coward
    2. Re:Law is only way by zacronos · · Score: 4, Insightful

      So if your internet at home went down, would you wither up and die?? Or just a little inside?

      No, but considering the fact that I live over 1,500 miles from the office where I work, it is not merely a luxury that I telecommute. If I can't have broadband Internet, I'll need to quit my job and find another, convince my wife to quit her job and sell our house during the housing market slump so we can move (either somewhere I *can* have broadband Internet, or somewhere within driving distance of my company's office), or leave my wife behind so I can move. I can't simply boycott the only broadband ISP in my area on a whim, as you suggest -- it is a much, much bigger issue for me.

      You're creating the false dichotomy that everything which is not necessary to survive is a luxury. I agree that I do not strictly need broadband Internet to survive, but disagree that the Internet is a luxury, for me at least. Perhaps you would have no problem boycotting utility companies if you felt they were doing something irresponsible, since after all electricity, water, natural gas, etc are not necessary for survival (and in fact many people in the world do not have these things), but most people in the US would argue that they are more than luxuries. Maybe you are lucky enough to have well or cistern water, and live in a climate where winter heating isn't necessary for survival, or perhaps you have a wood-burning stove/fireplace that could heat your house if you don't have electricity or natural gas -- but that doesn't mean that they are luxuries for everyone, irrespective of the circumstances of that person's life.

      Those are more extreme examples, but the fact is that my life is currently based around having broadband at home, and although I could do without it (just as I could do without electricity, natural gas, and city water), I would need to make very large changes to my life to do so.

  3. No need to fix this problem by damn_registrars · · Score: 3, Insightful

    ICANN is going to start selling new gTLDs that will turn the current DNS system into arbitrary mish-mash anyways. Just wait until we start seeing links to .cheapdrugs domains, and we try to find the DNS info for that.

    Then we'll find ourselves longing for the current DNS problem.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  4. Re:Hm, that and DNSsec sucks ass by bnjf · · Score: 2, Insightful

    http://dnscurve.org/index.html

    DJB's take on it, although it's gone quiet...