Perimeter

2/24/2010
04:58 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Comcast Goes DNSSEC, OpenDNS Adopts Alternative DNS Security

DNS provider OpenDNS selects DNSCurve over DNSSEC, but experts say the two technologies could eventually play together

Domain Name System (DNS) security was hot this week, with the much-anticipated DNSSEC technology for locking down domain servers getting both the nod from a major ISP and passed over by a DNS service provider.

Comcast has announced it will deploy DNSSEC in its Websites, including comcast.com, comcast.net, and xfinity.com, by the first quarter of next year, and it will begin using DNSSEC validation for all of its customers by the end of 2011. In a separate announcement, meanwhile, OpenDNS said it had deployed an alternative to DNSSEC, DNSCurve.

OpenDNS engineer and security researcher Matthew Dempsky says the company "put a lot of thought into" adopting DNSCurve at this time and concluded it made more sense than DNSSEC because it's simpler and easier to deploy and manage than DNSSEC -- and because it uses stronger cryptography. "DNSSEC is not a very viable solution as a whole," Dempsky says. "While there are increasing efforts to deploy it ... there's been a lot of testing with questionable results. There are still a lot of compatibility issues to be worked out."

DNSSEC adoption has finally begun gaining traction during the past year after nearly 15 years in the making. Concerns about how to defend against the DNS cache-poisoning flaw discovered by Dan Kaminsky have helped invigorate DNSSEC adoption efforts by government and industry. The .gov and .org top-level domains have begun to adopt the DNS security protocol, and .edu has been under way recently, as well.

The root zone DNS servers will be "signed" with DNSSEC technology in July, and VeriSign plans to deploy DNSSEC in the .com, .net, and .edu domains by the first quarter of 2011. "The critical mass has started," says Matt Larson, vice president of DNS research for VeriSign, which today rolled out its anticipated DNSSEC Interoperability Lab for vendors and service providers. "You're starting to see the snowball begin to roll down the hill with DNSSEC this year."

But OpenDNS' Dempsky argues that DNSSEC adoption is not far along and that DNSCurve is the technology for "right now" for preventing the Kaminsky DNS cache-poisoning attack and other threats. He says DNSSEC's RSA 512-bit and 1024-bit keys aren't secure enough given recent crypto hacks, and aren't up to date with recommended 2028-bit keys.

In addition, DNSSEC's use of digital signatures to authenticate Website domain information is inefficient, according to Dempsky. DNSCurve uses a different approach: per-packet encryption and authentication. The two technologies aren't interchangeable, per se -- DNSCurve is aimed more at transactional security between pairs of name servers, while DNSSEC protects the zone data, says Cricket Liu, vice president of architecture for Infoblox and author of several DNS books. "They don't address the same spectrum of threats," Liu says.

And unlike DNSSEC, DNSCurve isn't an IETF-backed technology, although OpenDNS's Dempsky has written a draft of the protocol for the IETF that he hopes will be accepted by the standards organization.

Infoblox's Liu called OpenDNS's choice to go with DNSCurve "regrettable" given all of the community effort to finalize and push DNSSEC forward. "This is potentially diluting the focus on DNSSEC," he says.

Even so, Liu and VeriSign's Larson say the two technologies could ultimately be used together. "DNSCurve is clever and solves some problems," Liu says. He says DNSCurve is basically a bootstrap for the existing transactional security standard used in DNS today. "So in the communication between two name servers, it's able to check that what you hear is what I said," he says. But unlike DNSSEC, it can't determine "if I'm lying to you," for example.

"Over time, it might be possible for these [technologies] to be used together," Liu says. "But they are not two different options for solving the same set of problems."

One area where there might be symmetry is in cryptography. VeriSign's Larson says DNSSEC is architected such that it can swap crypto algorithms, so although the focus for now is on the widely implemented RSA algorithms, DNSSEC could potentially deploy the Elliptic Curve Cryptography (ECC) used by DNSCurve. "VeriSign is very interested in that," he says. "I absolutely see adding ECC to it in the next couple of years."

For now, OpenDNS runs the only known operational implementation of DNSCurve, according to Dempsky. But the company has had several inquiries to its invitation for others to join as well. Dempsky says OpenDNS has not yet decided on any plans for DNSSEC adoption.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9047
PUBLISHED: 2019-02-23
GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.
CVE-2019-9062
PUBLISHED: 2019-02-23
PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php.
CVE-2019-9063
PUBLISHED: 2019-02-23
PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment amount.
CVE-2019-9064
PUBLISHED: 2019-02-23
PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file.
CVE-2019-9065
PUBLISHED: 2019-02-23
PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount.