Risk
6/19/2009
03:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

DNSSEC Showing More Signs Of Progress

The Domain Name System (DNS) security protocol is finally making inroads on the Internet infrastructure front, but big hurdles remain for widespread, smooth adoption

It has been more than 15 years in the making, but DNSSEC is finally gaining some traction: The .gov and .org top-level domains have begun to adopt the Domain Name Service (DNS) security protocol, and during the past few days, some commercial activity was associated with it.

HP last week announced it will resell Secure64's DNS software, while registrar and managed DNS provider Dynamic Network Services Inc. (Dyn Inc.), announced it has gone live with DNSSEC. DNS product vendor NeuStar, meanwhile, rolled out its own DNS security appliance to protect DNS servers from getting hit with the DNS cache poisoning flaw uncovered last year by researcher Dan Kaminksy.

Momentum for DNSSEC began gradually in the wake of Kaminsky's finding and the subsequent patches vendors deployed -- first, the federal government expanded its plans for widespread DNSSEC adoption after at first only recommending it for some systems. Now all federal agencies must adopt DNSSEC by December 2009. And most recently, a federal official said publicly that the updated FISMA regulations will require federal agencies to also sign their intranet "zones" with DNSSEC by the middle of next year.

Kaminsky in February at Black Hat DC officially threw his support behind DNSSEC after mostly dismissing the protocol as a solution for securing DNS after studying the specification more closely.

"I am relatively new to the pro-DNSSEC cause. I just don't see another way to address the endemic cross-organizational authentication and bootstrapping issues we have today," Kaminsky says. "DNS has fixed everyone else's cross-organizational issues for 25 years. It can fix security's as well.

"We are definitely making progress."

Cricket Liu, vice president of architecture for Infoblox and author of several DNS books, says while the latest commercial announcements are interesting, the biggest news for DNSSEC this year was the signing of .org, and that the Department of Commerce's National Telecommunications and Information Administration (NTIA) said it would sign the .gov root within a year. "These have a bearing on the infrastructure -- that's a huge deal," Liu says.

And now the feds are planning to add to the FISMA the requirement that federal agencies sign their internal zones -- their intranets -- with DNSSEC by mid-2010, Liu says. "And that's a lot more name space," he says.

ICANN earlier this month announced it will work with the NTIA, the National Institute of Standards and Technology (NIST), and VeriSign to ensure that the Internet's root zone is digitally signed with DNSSEC this year for security reasons. "ICANN has agreed to work with VeriSign and the Department of Commerce to first test, and then have production deployment of DNS Security Extensions (DNSSEC) as soon as feasible without prejudice to any proposals that may be made for long-term signing processes" Paul Twomey, President and CEO of ICANN said in a statement.

The announcement earlier this month that the .org top-level domain had successfully DNSSEC-signed its zone was a major milestone for the security protocol, security experts say. But there's still plenty of work to do at all levels of the Internet infrastructure.

Enterprises, meanwhile, are facing some challenges in adopting DNSSEC. Kaminsky says businesses must look at DNSSEC as not just a DNS security solution, but also as "an answer for PKI's failings." DNSSEC will "enable a new generation of security solutions that actually work and scale," he says. "Resources should be assigned now to deal with the DNSSEC dependencies of those solutions.

Infoblox's Liu says most of the tools available today for managing signed zones are rudimentary. BIND, the most pervasive DNS server, has command-line controls for DNSSEC. "They are relatively difficult to use, and difficult to integrate into" other management tools, he says.

Kaminsky concurs: "The biggest challenges will be getting DNSSEC automated. BIND is just not where it needs to be for automation, and neither is MSDNS. There are third-party products that help, but we need the standard implementations to get better," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web