Slashdot Mirror
DNS Inventor Tackles Flaw
nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."
Mockapetris wrote a nice book on the ideas behind the domain naming system, which is sadly long out of print. One statement that he made has always stuck in my mind, "names are not routes are not addresses". Keeping those things distinct and well-defined avoids many problems.
Mea navis aericumbens anguillis abundat
DNSsec, obviously, is the solution. The problem is the same problem with IPv6: The old way of doing things are so entrenched that it's very hard to make the transition. The other problem is that we're still trying to figure out how to do it correctly; the last time I looked over the specs, DNSsec allowed you to have it so the signing machine didn't have to be online, made it difficult to forge NXDOMAINs ("This host does not exist" DNS messages), but made it trivial to list all of the hosts in a given domain. As a implementer of a somewhat obscure Open-source DNS server, from where I stand I don't like DNSsec, mainly because it's a pain to implement (Don't even get me started on the mess that is the BIND zonefile format; there's a reason DJB was too lazy to implement BIND zonefiles at all). But, yes, considering the number of programs that actually trust a DNS packet (web browsers, cough cough), we need to make these packets secure. - Sam
Can someone explain what is the point of DNSsec? An https website already has its own certificate which authenticates you are talking with the right person, and https is designed to be secure without trusting DNS. If DNSsec had been widely implemented twenty years ago then secure protocols might have evolved in a different direction, but given where we are now, what problem does DNSsec solve?
Similarly if you use ssh then the server authenticates to you with its own keypair. You don't need to trust that DNS gives the right answer.
Is DNSsec just to stop denial of service attacks on the DNS infrastructure and trivial hijacking of insecure protocols like telnet and http?
-- Ed Avis ed@membled.com
Can someone explain what is the point of DNSsec? An https website already has its own certificate
DNS is a naming service, but it was never designed to be a trustworthy naming service. If it was, then DNS spoofing would have been impossible. Another reason why, currently, SSL certificates are needed is IP address spoofing. But if your certificate is embedded in a DNS entry then there is no reason for anyone to need a third-party-signed certificate at all. All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities.
So if we fix DNS then we can skip SSL root CAs entirely and just go with DNS. But SSL certs are a lucrative business, which is why Verisign et. al. don't want DNS to be fixed. It would be the end of their best cash cow. But fixing it is necessary for the internet to become a truly trustworthy place of business.
The article, BTW, strikes me as odd. Isn't it Paul Vixie who has been campaigning for DNSSEC for ages now? He isn't even mentioned.
I disagree. IPv6 would eliminate all of the complications with NAT and generally make the act of adding content to internet instead of simply consuming content significantly easier. The issue is too technical for a random user to understand it, but it would make their lives easier.
There's not enough value in implementing DNSSEC. That is, of course, why you're proposing a law. Laws are needed to get people to do things that are irrational.
Don't piss off The Angry Economist