Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Inventor Tackles Flaw

Posted by ScuttleMonkey on from the always-evolving dept.

nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."

4 of 101 comments (clear)

  1. I tried to RTFA... by dkf · · Score: 5, Funny

    ... but it seems that a DNS attack redirected it to a fluff piece without any useful content.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  2. Re:Law is only way by howdoesth · · Score: 5, Funny

    You always have the option to boycott that ISP, but if you live somewhere like I do, you only have one broadband option.

    I see you're using the sense of "always" that means "occasionally" or even "very rarely."

  3. Re:We'll add security later by Hal_Porter · · Score: 5, Informative

    Not really. Back when DNS was invented (1982) pretty much everything connected to the Internet was essentially a trusted machine. Arguably that was almost true until the Morris worm in 1988. Of course you could never truly trust them, but the idea was that if someone did something silly other people would phone them and then they would stop. Essentially it was an anarchy populated by non malicious people.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  4. Re:Hm, that and DNSsec sucks ass by Charlotte · · Score: 5, Interesting

    Can someone explain what is the point of DNSsec? An https website already has its own certificate

    DNS is a naming service, but it was never designed to be a trustworthy naming service. If it was, then DNS spoofing would have been impossible. Another reason why, currently, SSL certificates are needed is IP address spoofing. But if your certificate is embedded in a DNS entry then there is no reason for anyone to need a third-party-signed certificate at all. All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities.

    So if we fix DNS then we can skip SSL root CAs entirely and just go with DNS. But SSL certs are a lucrative business, which is why Verisign et. al. don't want DNS to be fixed. It would be the end of their best cash cow. But fixing it is necessary for the internet to become a truly trustworthy place of business.

    The article, BTW, strikes me as odd. Isn't it Paul Vixie who has been campaigning for DNSSEC for ages now? He isn't even mentioned.