Slashdot Mirror

← Back to Stories (view on slashdot.org)

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

Posted by Soulskill on from the rome-wasn't-built-in-5-years-either dept.

alphadogg writes "Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."

13 of 313 comments (clear)

  1. DNSSEC is not the best long term fix by Anonymous Coward · · Score: 4, Informative

    DNSSEC is a flaw too! Once I watched a keynote from Daniel J. Bernstein at FISL pointing out all the flaws that make DNSSEC vulnerable. So he pointed to a better solution called DNSCurve: http://en.wikipedia.org/wiki/DNSCurve

    1. Re:DNSSEC is not the best long term fix by GameboyRMH · · Score: 2

      Furthermore see Moxie Marlinspike's criticisms of DNSSEC:

      http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/

      About 2/3 way down the page.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:DNSSEC is not the best long term fix by marka63 · · Score: 2

      Slides from a Bernstein talk
      A quote:

      Summary so far:
      DNSSEC does nothing to improve DNS availability.

      Neither does DNSCurve.

      DNSSEC allows astonishing levels of DDoS amplification, damaging Internet availability.

      Which is not a problem of DNSSEC per say but a basic problem of DNS. It is also solvable. It just requires will to deploy the solutions.

      DNSSEC does nothing to improve DNS privacy.

      This was a explicit non goal of DNSSEC.

      DNSSEC, even with NSEC3, leaks private DNS data.

      No more than DNS leaks private data.

  2. Sweden Innovates by ptudor · · Score: 4, Informative
    So, there's OpenDNSSEC to automate deployments; I strongly suggest spending the time to watch the .SE NIC's nine-part training videos from 2010 at Youtube to improve one's understanding: http://www.youtube.com/watch?v=zl3gdM5tDTo

    Some respected members of our community dismiss DNSSEC. This video of DJB presents an opinion: DJB at 27C3

  3. Re:How custom hosts files help vs. DNS flaws... ap by dickplaus · · Score: 2

    I only scanned this, but I'm supposed to turn off my computer and no longer use the interwebs is what I gathered?

  4. Re:How custom hosts files help vs. DNS flaws... ap by Sheetrock · · Score: 2

    Nah, just edit once and have the other 4999 machines fetch through Gnutella with a batch file. It's not like this isn't a solved problem.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  5. Basic rule of computer security by dkleinsc · · Score: 2

    Many potentially targeted organizations will not spend the time and money to make the necessary changes without prodding. I've seen this in payment security too: A lot of companies are shocked and dismayed when they find out that they are supposed to store credit card numbers in some way other than in plaintext in a database accessible to anyone with the single database login that everyone in the company has.

    The only thing that will prod them is experiencing a cost of doing nothing that is higher than the cost of implementing the solution.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  6. I deployed it at our ISP recursive servers by whois · · Score: 4, Interesting

    It broke access to several DNSSEC enabled websites that were misconfigured. After a few months of support problems where we suggested the websites fix their issues and they ignored it, it was requested by management that we turn it off.

    It's a very bad design as it stands now. It's unable to return any error but NX Domain for DNSSEC errors for reasons of backword compatibility, which is stupid since you need a DNSSEC enabled resolver to make the request.

    It also has an incredibly steep learning curve that even experienced public key administrators face problems with.

  7. Dutch solution by CAPSLOCK2000 · · Score: 2

    SIDN (the maintainer of .nl) offers a small discount to domains that use DNSSEC. This was sufficient motivation for a few large hosting companies to enable DNSSEC across all their domains. In just a few days a fifth of all Dutch domains switched over. By now 26% of the .nl domains (1.381.790 out of 5.153.408) use DNSSEC.

  8. Re:Dutch Innovate by kwark · · Score: 2

    Why choose this instead of powerdnssec? I strongly suggest the dnssec training at http://www.dnsseccourse.nl/en/player.html (flash) to improve one's understanding of the dnssec protocol. And powerdns to implement it http://doc.powerdns.com/powerdnssec-auth.html

    BTW dnssec adoption is amongst the highest for .nl in absolute numbers of domains, simply because there is a bounty for every domain signed. If you have a few hundred of domains the costs to implement are lower than the discount given till mid 2014 == profit for implementing dnssec. And since powerdns does all the hard work automatically and dynamically in a transparant way (except importing the DS key in the tld)

  9. Re:And do you know why it's not widely deployed? by grasshoppa · · Score: 3, Insightful

    Wrong actually. Security works best when it's simple. Make it too complex, or needlessly complex, and you open yourself up for implementation flaws.

    Security implementation should only be as complex as needed. Added complexity only serves to compromise the security you are trying to achieve in the first place.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  10. DNS is not a security mechanism... by gweihir · · Score: 3, Insightful

    If your security depends on DNS working, you are screwed anyways. That is likely the main reason nobody uses DNSSEC: It does solve the wrong problem.

    1. The sane way for remote access it is to require 2-sided authentication on connection, making DNSSEC entirely redundant.
    2. For the open web, things are a bit differently, but there you can land on a malicious page any time and the only solution for that is a not vulnerable browser or a secure browsing environment.

    There is also the small issue that DNSSEC is badly borked and a nightmare to install and maintain. In addition, the other PKI (SSL certs) is badly broken, and there is really no reason the DNSSEC PKI would fare any better if widely deployed. In the long run, it is very likely that DNSSEC is just a waste of time and effort.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  11. Re:And do you know why it's not widely deployed? by nullchar · · Score: 2

    Agreed. Implementing DNSSEC is a royal pain in the ass for the authoritative server operator. If it was easy, many would have done it.

    Additionally, your domain registrar must support DNSSEC to list the digest records or even public keys with the registry so they can be listed in the TLD-root zone. Once you sign a domain, you cannot transfer the domain to a non-DNSSEC-implementing registrar.