Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/19/2009
03:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DNSSEC Showing More Signs Of Progress

The Domain Name System (DNS) security protocol is finally making inroads on the Internet infrastructure front, but big hurdles remain for widespread, smooth adoption

It has been more than 15 years in the making, but DNSSEC is finally gaining some traction: The .gov and .org top-level domains have begun to adopt the Domain Name Service (DNS) security protocol, and during the past few days, some commercial activity was associated with it.

HP last week announced it will resell Secure64's DNS software, while registrar and managed DNS provider Dynamic Network Services Inc. (Dyn Inc.), announced it has gone live with DNSSEC. DNS product vendor NeuStar, meanwhile, rolled out its own DNS security appliance to protect DNS servers from getting hit with the DNS cache poisoning flaw uncovered last year by researcher Dan Kaminksy.

Momentum for DNSSEC began gradually in the wake of Kaminsky's finding and the subsequent patches vendors deployed -- first, the federal government expanded its plans for widespread DNSSEC adoption after at first only recommending it for some systems. Now all federal agencies must adopt DNSSEC by December 2009. And most recently, a federal official said publicly that the updated FISMA regulations will require federal agencies to also sign their intranet "zones" with DNSSEC by the middle of next year.

Kaminsky in February at Black Hat DC officially threw his support behind DNSSEC after mostly dismissing the protocol as a solution for securing DNS after studying the specification more closely.

"I am relatively new to the pro-DNSSEC cause. I just don't see another way to address the endemic cross-organizational authentication and bootstrapping issues we have today," Kaminsky says. "DNS has fixed everyone else's cross-organizational issues for 25 years. It can fix security's as well.

"We are definitely making progress."

Cricket Liu, vice president of architecture for Infoblox and author of several DNS books, says while the latest commercial announcements are interesting, the biggest news for DNSSEC this year was the signing of .org, and that the Department of Commerce's National Telecommunications and Information Administration (NTIA) said it would sign the .gov root within a year. "These have a bearing on the infrastructure -- that's a huge deal," Liu says.

And now the feds are planning to add to the FISMA the requirement that federal agencies sign their internal zones -- their intranets -- with DNSSEC by mid-2010, Liu says. "And that's a lot more name space," he says.

ICANN earlier this month announced it will work with the NTIA, the National Institute of Standards and Technology (NIST), and VeriSign to ensure that the Internet's root zone is digitally signed with DNSSEC this year for security reasons. "ICANN has agreed to work with VeriSign and the Department of Commerce to first test, and then have production deployment of DNS Security Extensions (DNSSEC) as soon as feasible without prejudice to any proposals that may be made for long-term signing processes" Paul Twomey, President and CEO of ICANN said in a statement.

The announcement earlier this month that the .org top-level domain had successfully DNSSEC-signed its zone was a major milestone for the security protocol, security experts say. But there's still plenty of work to do at all levels of the Internet infrastructure.

Enterprises, meanwhile, are facing some challenges in adopting DNSSEC. Kaminsky says businesses must look at DNSSEC as not just a DNS security solution, but also as "an answer for PKI's failings." DNSSEC will "enable a new generation of security solutions that actually work and scale," he says. "Resources should be assigned now to deal with the DNSSEC dependencies of those solutions.

Infoblox's Liu says most of the tools available today for managing signed zones are rudimentary. BIND, the most pervasive DNS server, has command-line controls for DNSSEC. "They are relatively difficult to use, and difficult to integrate into" other management tools, he says.

Kaminsky concurs: "The biggest challenges will be getting DNSSEC automated. BIND is just not where it needs to be for automation, and neither is MSDNS. There are third-party products that help, but we need the standard implementations to get better," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...
CVE-2020-3171
PUBLISHED: 2020-02-26
A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input vali...