Slashdot Mirror
DNS Inventor Tackles Flaw
nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."
Ok, so this approach where you release something half-way done and fix it later is much older than I thought.
"A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
Not just new here, very, very new here.
... but it seems that a DNS attack redirected it to a fluff piece without any useful content.
"Little does he know, but there is no 'I' in 'Idiot'!"
You are seeing it. I, also, am.
Really, the only way to get ISPs to offer secure DNS protocols is to require it by law. Otherwise, its just their nature not to do, to be lazy and ignore it, as they do with IPv6. So mandate it by law I say.
Mockapetris wrote a nice book on the ideas behind the domain naming system, which is sadly long out of print. One statement that he made has always stuck in my mind, "names are not routes are not addresses". Keeping those things distinct and well-defined avoids many problems.
Mea navis aericumbens anguillis abundat
Maybe we can ledit it too.
Look at the history of DNSsec; the specs have been done and redone several times over, there is no consensus, and it looks like it would be a bitch to admin.
I'm sorry to be the one to say it but there's nothing new here. RIPE implemented DNSSEC a little while ago (albeit not thoroughly) and there's an article here about the US getting DNSSEC.
Not really. Back when DNS was invented (1982) pretty much everything connected to the Internet was essentially a trusted machine. Arguably that was almost true until the Morris worm in 1988. Of course you could never truly trust them, but the idea was that if someone did something silly other people would phone them and then they would stop. Essentially it was an anarchy populated by non malicious people.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
DNSsec, obviously, is the solution. The problem is the same problem with IPv6: The old way of doing things are so entrenched that it's very hard to make the transition. The other problem is that we're still trying to figure out how to do it correctly; the last time I looked over the specs, DNSsec allowed you to have it so the signing machine didn't have to be online, made it difficult to forge NXDOMAINs ("This host does not exist" DNS messages), but made it trivial to list all of the hosts in a given domain. As a implementer of a somewhat obscure Open-source DNS server, from where I stand I don't like DNSsec, mainly because it's a pain to implement (Don't even get me started on the mess that is the BIND zonefile format; there's a reason DJB was too lazy to implement BIND zonefiles at all). But, yes, considering the number of programs that actually trust a DNS packet (web browsers, cough cough), we need to make these packets secure. - Sam
Ihope someone takes steps to deal with this. Imagine if every link someone posted had to be regarded with suspicion. It would be the end of the internet
If a typo amazes him, I think he's not only new to Slashdot, but new to the Internet. Actually, he's probably new to typing. Next he's going to tell us about some amazing new developments in a town called Gutenberg.
I hate printers.
ICANN is going to start selling new gTLDs that will turn the current DNS system into arbitrary mish-mash anyways. Just wait until we start seeing links to .cheapdrugs domains, and we try to find the DNS info for that.
Then we'll find ourselves longing for the current DNS problem.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
A town? I think Gutenberg was a person.
An https website already has its own certificate which authenticates you are talking to some random entity who paid a tithe to Verisign, and https is designed to be a cash cow for certificate authorities regardless of their competence, reliability or trustworthiness.
Fixed that for ya.
Yea... Mock-a-TETRIS! It's an outrage! How could they so blatantly deface the name of one of the greatest video games of all times?! I'm bringing this straight to Nintendo! Alexy Pajitnov must be pissed.
I think Gutenberg was a person.
Yeah, he was in those Police Academy movies, right?
There's not enough value in implementing DNSSEC. That is, of course, why you're proposing a law. Laws are needed to get people to do things that are irrational.
Don't piss off The Angry Economist
What he said. I mean really. If anybody still thinks BIND zonefiles are a good idea they should bloody well be forced to write a program that parses them and good luck.
(Oh, btw, hi russ)
I realize there's an obligate duty for an car analogy here, but, so sorry. *
You'll have to settle for instruction sets. BIND files are now commonly bigger than most old programs, so what you have to write to get what you want to happen is important. BIND is like an old clunky assembler with bizarre and arcane properties. IBM 1130 or 360 maybe. DJB is like the pdp-11, it's elegant and simple. It's a joy, not a pain.
I don't mind writing software that outputs BIND files but I'm not sure it's even computationally possible to parse one of those pigs. They were never meant to do that, DJB was desifgned that way.
BIND was handy until the number of bugs went asymptotic, but it really should die now.
* not sorry
Need Mercedes parts ?
You appear to be slightly confused as to what RFCs are.
I don't disagree. I'd like to start implementing DNSCurve immediately.