Risk
6/19/2009
03:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DNSSEC Showing More Signs Of Progress

The Domain Name System (DNS) security protocol is finally making inroads on the Internet infrastructure front, but big hurdles remain for widespread, smooth adoption

It has been more than 15 years in the making, but DNSSEC is finally gaining some traction: The .gov and .org top-level domains have begun to adopt the Domain Name Service (DNS) security protocol, and during the past few days, some commercial activity was associated with it.

HP last week announced it will resell Secure64's DNS software, while registrar and managed DNS provider Dynamic Network Services Inc. (Dyn Inc.), announced it has gone live with DNSSEC. DNS product vendor NeuStar, meanwhile, rolled out its own DNS security appliance to protect DNS servers from getting hit with the DNS cache poisoning flaw uncovered last year by researcher Dan Kaminksy.

Momentum for DNSSEC began gradually in the wake of Kaminsky's finding and the subsequent patches vendors deployed -- first, the federal government expanded its plans for widespread DNSSEC adoption after at first only recommending it for some systems. Now all federal agencies must adopt DNSSEC by December 2009. And most recently, a federal official said publicly that the updated FISMA regulations will require federal agencies to also sign their intranet "zones" with DNSSEC by the middle of next year.

Kaminsky in February at Black Hat DC officially threw his support behind DNSSEC after mostly dismissing the protocol as a solution for securing DNS after studying the specification more closely.

"I am relatively new to the pro-DNSSEC cause. I just don't see another way to address the endemic cross-organizational authentication and bootstrapping issues we have today," Kaminsky says. "DNS has fixed everyone else's cross-organizational issues for 25 years. It can fix security's as well.

"We are definitely making progress."

Cricket Liu, vice president of architecture for Infoblox and author of several DNS books, says while the latest commercial announcements are interesting, the biggest news for DNSSEC this year was the signing of .org, and that the Department of Commerce's National Telecommunications and Information Administration (NTIA) said it would sign the .gov root within a year. "These have a bearing on the infrastructure -- that's a huge deal," Liu says.

And now the feds are planning to add to the FISMA the requirement that federal agencies sign their internal zones -- their intranets -- with DNSSEC by mid-2010, Liu says. "And that's a lot more name space," he says.

ICANN earlier this month announced it will work with the NTIA, the National Institute of Standards and Technology (NIST), and VeriSign to ensure that the Internet's root zone is digitally signed with DNSSEC this year for security reasons. "ICANN has agreed to work with VeriSign and the Department of Commerce to first test, and then have production deployment of DNS Security Extensions (DNSSEC) as soon as feasible without prejudice to any proposals that may be made for long-term signing processes" Paul Twomey, President and CEO of ICANN said in a statement.

The announcement earlier this month that the .org top-level domain had successfully DNSSEC-signed its zone was a major milestone for the security protocol, security experts say. But there's still plenty of work to do at all levels of the Internet infrastructure.

Enterprises, meanwhile, are facing some challenges in adopting DNSSEC. Kaminsky says businesses must look at DNSSEC as not just a DNS security solution, but also as "an answer for PKI's failings." DNSSEC will "enable a new generation of security solutions that actually work and scale," he says. "Resources should be assigned now to deal with the DNSSEC dependencies of those solutions.

Infoblox's Liu says most of the tools available today for managing signed zones are rudimentary. BIND, the most pervasive DNS server, has command-line controls for DNSSEC. "They are relatively difficult to use, and difficult to integrate into" other management tools, he says.

Kaminsky concurs: "The biggest challenges will be getting DNSSEC automated. BIND is just not where it needs to be for automation, and neither is MSDNS. There are third-party products that help, but we need the standard implementations to get better," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant