DNS Inventor Tackles Flaw

← Back to Stories (view on slashdot.org)

Posted by ScuttleMonkey on Monday November 10, 2008 @03:57AM from the always-evolving dept.

nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."

26 of 101 comments (clear)

Min score:

Reason:

Sort:

Hmm... by tripdizzle · 2008-11-10 03:59 · Score: 4, Insightful

but was intended for additional security measures to be added to it later

Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

--
"A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
1. Re:Hmm... by incripshin · 2008-11-10 04:04 · Score: 2, Funny
  
  Perhaps they could have enforced 32-bit public key encryption?
2. Re:Hmm... by gnick · 2008-11-10 04:24 · Score: 4, Insightful
  
  but was intended for additional security measures to be added to it later
  Ok, so this approach where you release something half-way done and fix it later is much older than I thought.
  Well, yeah. Here's the first instance I know of:
  
  Carl: Hey, I just figured out that by attaching a piece of slate and some handles to this thing I call the "wheel", I can haul around deer carcasses much more easily than my previous method of throwing them over my shoulder and crawling. I call this new contraption the "wheelbarrow".
  Lenny: That's great! I think that I'll use it to haul home my fiance after I propose by clubbing her over the head. When I'm moving people around with it, I'll call it a "car". Of course, if anyone wanted to use the "car" for frequent trips or moving multiple people around, they'd have to make significant improvements.
  Homer: Your car sucks. Why in the hell did you design it like this? This thing looks like it was made to haul around deer carcasses, not people! This is obviously an incomplete solution - Why did you show it to us without perfecting it first!?! You're an idiot.
  Preemptive retort to silly overly-critical responses: I agree, it is a deeply flawed analogy. It's primary intent was humor while only lightly relating to the incomplete implementation of the DNS system.
  Cheers.
  
  --
  He's getting rather old, but he's a good mouse.
3. Re:Hmm... by Sanat · 2008-11-10 04:56 · Score: 2, Funny
  
  Thank you for using a car analogy
  
  --
  And in the end, the love you take is equal to the love you make
I tried to RTFA... by dkf · 2008-11-10 04:00 · Score: 5, Funny

... but it seems that a DNS attack redirected it to a fluff piece without any useful content.

--
"Little does he know, but there is no 'I' in 'Idiot'!"
Law is only way by Eravnrekaree · 2008-11-10 04:01 · Score: 2, Insightful

Really, the only way to get ISPs to offer secure DNS protocols is to require it by law. Otherwise, its just their nature not to do, to be lazy and ignore it, as they do with IPv6. So mandate it by law I say.
1. Re:Law is only way by howdoesth · 2008-11-10 04:08 · Score: 5, Funny
  
  You always have the option to boycott that ISP, but if you live somewhere like I do, you only have one broadband option.
  I see you're using the sense of "always" that means "occasionally" or even "very rarely."
2. Re:Law is only way by mmell · 2008-11-10 04:08 · Score: 2, Informative
  
  That's right - let the Governments of the world fix the internet by legislation; after all, we all know how well the government understands the tubes of the intarweb. Perhaps Al Gore could be tapped to spearhead this incredibly important piece of legislation.
3. Re:Law is only way by tripdizzle · 2008-11-10 04:11 · Score: 4, Funny
  
  Not really, you do not need the internet to survive, its a luxury.
  
  --
  "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
4. Re:Law is only way by Cerberus7 · 2008-11-10 04:29 · Score: 4, Insightful
  
  True enough, but the Almighty Invisible Hand of the Free Market isn't taking care of this, either.
  
  --
  I don't know about you, but my servers run on the power of cotton candy and happy thoughts. -Anonymous Coward
5. Re:Law is only way by Sanat · 2008-11-10 05:02 · Score: 2, Funny
  
  "Take the American government"
  Fixed it for you
  Take the American government please.
  
  --
  And in the end, the love you take is equal to the love you make
6. Re:Law is only way by zippthorne · 2008-11-10 05:11 · Score: 2, Informative
  
  It's trying to, but something is protecting the bankers.
  
  --
  Can you be Even More Awesome?!
7. Re:Law is only way by megamerican · 2008-11-10 05:57 · Score: 2, Informative
  
  The free market can not exist in environments where the government gives special monopolies to a few companies. The only real competition in this market is for these companies to protect their monopolies.
  John D. Rockefeller said, "Competition is a sin."
  A great muckraking book on this topic is Confessions of a Monopolist, written in 1903.
  This kind of thing has been going on ever since the Supreme Court brazenly declared that a corporation has the same rights as a natural person.
  
  --
  If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
8. Re:Law is only way by zacronos · 2008-11-10 07:19 · Score: 4, Insightful
  
  So if your internet at home went down, would you wither up and die?? Or just a little inside?
  No, but considering the fact that I live over 1,500 miles from the office where I work, it is not merely a luxury that I telecommute. If I can't have broadband Internet, I'll need to quit my job and find another, convince my wife to quit her job and sell our house during the housing market slump so we can move (either somewhere I *can* have broadband Internet, or somewhere within driving distance of my company's office), or leave my wife behind so I can move. I can't simply boycott the only broadband ISP in my area on a whim, as you suggest -- it is a much, much bigger issue for me.
  
  You're creating the false dichotomy that everything which is not necessary to survive is a luxury. I agree that I do not strictly need broadband Internet to survive, but disagree that the Internet is a luxury, for me at least. Perhaps you would have no problem boycotting utility companies if you felt they were doing something irresponsible, since after all electricity, water, natural gas, etc are not necessary for survival (and in fact many people in the world do not have these things), but most people in the US would argue that they are more than luxuries. Maybe you are lucky enough to have well or cistern water, and live in a climate where winter heating isn't necessary for survival, or perhaps you have a wood-burning stove/fireplace that could heat your house if you don't have electricity or natural gas -- but that doesn't mean that they are luxuries for everyone, irrespective of the circumstances of that person's life.
  
  Those are more extreme examples, but the fact is that my life is currently based around having broadband at home, and although I could do without it (just as I could do without electricity, natural gas, and city water), I would need to make very large changes to my life to do so.
Mockapetris by Detritus · 2008-11-10 04:10 · Score: 4, Interesting

Mockapetris wrote a nice book on the ideas behind the domain naming system, which is sadly long out of print. One statement that he made has always stuck in my mind, "names are not routes are not addresses". Keeping those things distinct and well-defined avoids many problems.

--
Mea navis aericumbens anguillis abundat
Hm, that and DNSsec sucks ass by Nicolas+MONNET · 2008-11-10 04:11 · Score: 3, Informative

Look at the history of DNSsec; the specs have been done and redone several times over, there is no consensus, and it looks like it would be a bitch to admin.
1. Re:Hm, that and DNSsec sucks ass by Ed+Avis · 2008-11-10 04:41 · Score: 4, Interesting
  
  Can someone explain what is the point of DNSsec? An https website already has its own certificate which authenticates you are talking with the right person, and https is designed to be secure without trusting DNS. If DNSsec had been widely implemented twenty years ago then secure protocols might have evolved in a different direction, but given where we are now, what problem does DNSsec solve?
  Similarly if you use ssh then the server authenticates to you with its own keypair. You don't need to trust that DNS gives the right answer.
  Is DNSsec just to stop denial of service attacks on the DNS infrastructure and trivial hijacking of insecure protocols like telnet and http?
  
  --
  -- Ed Avis ed@membled.com
2. Re:Hm, that and DNSsec sucks ass by Charlotte · 2008-11-10 05:22 · Score: 5, Interesting
  
  Can someone explain what is the point of DNSsec? An https website already has its own certificate
  DNS is a naming service, but it was never designed to be a trustworthy naming service. If it was, then DNS spoofing would have been impossible. Another reason why, currently, SSL certificates are needed is IP address spoofing. But if your certificate is embedded in a DNS entry then there is no reason for anyone to need a third-party-signed certificate at all. All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities.
  So if we fix DNS then we can skip SSL root CAs entirely and just go with DNS. But SSL certs are a lucrative business, which is why Verisign et. al. don't want DNS to be fixed. It would be the end of their best cash cow. But fixing it is necessary for the internet to become a truly trustworthy place of business.
  The article, BTW, strikes me as odd. Isn't it Paul Vixie who has been campaigning for DNSSEC for ages now? He isn't even mentioned.
3. Re:Hm, that and DNSsec sucks ass by bnjf · 2008-11-10 05:39 · Score: 2, Insightful
  
  http://dnscurve.org/index.html
  DJB's take on it, although it's gone quiet...
Re:We'll add security later by Hal_Porter · 2008-11-10 04:24 · Score: 5, Informative

Not really. Back when DNS was invented (1982) pretty much everything connected to the Internet was essentially a trusted machine. Arguably that was almost true until the Morris worm in 1988. Of course you could never truly trust them, but the idea was that if someone did something silly other people would phone them and then they would stop. Essentially it was an anarchy populated by non malicious people.

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
DNSsec by Ex-Linux-Fanboy · 2008-11-10 04:37 · Score: 2, Interesting

DNSsec, obviously, is the solution. The problem is the same problem with IPv6: The old way of doing things are so entrenched that it's very hard to make the transition. The other problem is that we're still trying to figure out how to do it correctly; the last time I looked over the specs, DNSsec allowed you to have it so the signing machine didn't have to be online, made it difficult to forge NXDOMAINs ("This host does not exist" DNS messages), but made it trivial to list all of the hosts in a given domain. As a implementer of a somewhat obscure Open-source DNS server, from where I stand I don't like DNSsec, mainly because it's a pain to implement (Don't even get me started on the mess that is the BIND zonefile format; there's a reason DJB was too lazy to implement BIND zonefiles at all). But, yes, considering the number of programs that actually trust a DNS packet (web browsers, cough cough), we need to make these packets secure. - Sam
1. Re:DNSsec by Russ+Nelson · 2008-11-10 10:35 · Score: 2, Informative
  
  It's not a question of DJB being too lazy to implement BIND zonefiles. It's more a question that BIND zonefiles must die because they're astoundingly difficult to parse, and even if they weren't, they're prone to user edit failures. Ever forgotten a dot at the end of a name? I haven't -- not since switching to djbdns.
  
  --
  Don't piss off The Angry Economist
Malicious links are a serious problem nowadays by Anonymous Coward · 2008-11-10 04:47 · Score: 2, Funny

Ihope someone takes steps to deal with this. Imagine if every link someone posted had to be regarded with suspicion. It would be the end of the internet
No need to fix this problem by damn_registrars · 2008-11-10 05:10 · Score: 3, Insightful

ICANN is going to start selling new gTLDs that will turn the current DNS system into arbitrary mish-mash anyways. Just wait until we start seeing links to .cheapdrugs domains, and we try to find the DNS info for that.

Then we'll find ourselves longing for the current DNS problem.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Re:Wow by gomiam · 2008-11-10 06:35 · Score: 2, Informative

A town? I think Gutenberg was a person.
Not enough value in DNSSEC by Russ+Nelson · 2008-11-10 10:32 · Score: 2, Interesting

There's not enough value in implementing DNSSEC. That is, of course, why you're proposing a law. Laws are needed to get people to do things that are irrational.

--
Don't piss off The Angry Economist