Perimeter

2/24/2010
04:58 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Comcast Goes DNSSEC, OpenDNS Adopts Alternative DNS Security

DNS provider OpenDNS selects DNSCurve over DNSSEC, but experts say the two technologies could eventually play together

Domain Name System (DNS) security was hot this week, with the much-anticipated DNSSEC technology for locking down domain servers getting both the nod from a major ISP and passed over by a DNS service provider.

Comcast has announced it will deploy DNSSEC in its Websites, including comcast.com, comcast.net, and xfinity.com, by the first quarter of next year, and it will begin using DNSSEC validation for all of its customers by the end of 2011. In a separate announcement, meanwhile, OpenDNS said it had deployed an alternative to DNSSEC, DNSCurve.

OpenDNS engineer and security researcher Matthew Dempsky says the company "put a lot of thought into" adopting DNSCurve at this time and concluded it made more sense than DNSSEC because it's simpler and easier to deploy and manage than DNSSEC -- and because it uses stronger cryptography. "DNSSEC is not a very viable solution as a whole," Dempsky says. "While there are increasing efforts to deploy it ... there's been a lot of testing with questionable results. There are still a lot of compatibility issues to be worked out."

DNSSEC adoption has finally begun gaining traction during the past year after nearly 15 years in the making. Concerns about how to defend against the DNS cache-poisoning flaw discovered by Dan Kaminsky have helped invigorate DNSSEC adoption efforts by government and industry. The .gov and .org top-level domains have begun to adopt the DNS security protocol, and .edu has been under way recently, as well.

The root zone DNS servers will be "signed" with DNSSEC technology in July, and VeriSign plans to deploy DNSSEC in the .com, .net, and .edu domains by the first quarter of 2011. "The critical mass has started," says Matt Larson, vice president of DNS research for VeriSign, which today rolled out its anticipated DNSSEC Interoperability Lab for vendors and service providers. "You're starting to see the snowball begin to roll down the hill with DNSSEC this year."

But OpenDNS' Dempsky argues that DNSSEC adoption is not far along and that DNSCurve is the technology for "right now" for preventing the Kaminsky DNS cache-poisoning attack and other threats. He says DNSSEC's RSA 512-bit and 1024-bit keys aren't secure enough given recent crypto hacks, and aren't up to date with recommended 2028-bit keys.

In addition, DNSSEC's use of digital signatures to authenticate Website domain information is inefficient, according to Dempsky. DNSCurve uses a different approach: per-packet encryption and authentication. The two technologies aren't interchangeable, per se -- DNSCurve is aimed more at transactional security between pairs of name servers, while DNSSEC protects the zone data, says Cricket Liu, vice president of architecture for Infoblox and author of several DNS books. "They don't address the same spectrum of threats," Liu says.

And unlike DNSSEC, DNSCurve isn't an IETF-backed technology, although OpenDNS's Dempsky has written a draft of the protocol for the IETF that he hopes will be accepted by the standards organization.

Infoblox's Liu called OpenDNS's choice to go with DNSCurve "regrettable" given all of the community effort to finalize and push DNSSEC forward. "This is potentially diluting the focus on DNSSEC," he says.

Even so, Liu and VeriSign's Larson say the two technologies could ultimately be used together. "DNSCurve is clever and solves some problems," Liu says. He says DNSCurve is basically a bootstrap for the existing transactional security standard used in DNS today. "So in the communication between two name servers, it's able to check that what you hear is what I said," he says. But unlike DNSSEC, it can't determine "if I'm lying to you," for example.

"Over time, it might be possible for these [technologies] to be used together," Liu says. "But they are not two different options for solving the same set of problems."

One area where there might be symmetry is in cryptography. VeriSign's Larson says DNSSEC is architected such that it can swap crypto algorithms, so although the focus for now is on the widely implemented RSA algorithms, DNSSEC could potentially deploy the Elliptic Curve Cryptography (ECC) used by DNSCurve. "VeriSign is very interested in that," he says. "I absolutely see adding ECC to it in the next couple of years."

For now, OpenDNS runs the only known operational implementation of DNSCurve, according to Dempsky. But the company has had several inquiries to its invitation for others to join as well. Dempsky says OpenDNS has not yet decided on any plans for DNSSEC adoption.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml
CVE-2019-11459
PUBLISHED: 2019-04-22
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
CVE-2019-11460
PUBLISHED: 2019-04-22
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's control...
CVE-2019-8452
PUBLISHED: 2019-04-22
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains t...