Kaminsky calls for DNSSEC deployment
Political hot potato
ARLINGTON, VA. -- Dan Kaminsky's second act has begun: Pushing the adoption of the DNSSEC security standard for the domain-name system.
So many security frameworks — from password resets via e-mail to SSL certificates — rely on DNS in some way that the protocol has to be secured for Internet security to work, Kaminsky told attendees at the Black Hat DC Security Briefings. DNSSEC is by far the leading security standard for the domain-name system, and the US government has already committed to deploying the protocol this year.
However, DNSSEC is hard to deploy and maintain and is a political hot potato, because in the simplest case, a single root — administered by the U.S. Department of Commerce — would authenticate the entire domain-name system for the Internet, Kaminsky said. Yet, other countries can maintain their own root servers for their domains, and as long as the servers are maintained, the DNS system will continue to work, he said.
"Politics is getting in our way more than security," Kaminsky said. "It's time to sign the root and be done with it."
Last July, Kaminsky and a number of Internet infrastructure companies announced that he had discovered a significant attack on the domain-name system. The companies issued patches for their products, but within three weeks, online attackers had already started using the flaw to attack some popular domains. Many DNS servers remain unpatched, he said.
Kaminsky, who is the director of penetration testing for security firm IOActive, has taken two months leave from his work to advocate DNSSEC adoption, he told SecurityFocus.
The researcher also argued for simple implementations of DNSSEC. While the protocol is fine, DNSSEC systems are not easy to deploy or maintain. Without automation, administrators will keep putting off deployments, he stressed.
This article originally appeared in SecurityFocus.
Copyright © 2008, SecurityFocus
"Signing DNS and SSL certificates are two completely different things, and serve completely different purposes."
At first sight yes this seems to be the case. But I think DNSSEC goes further than what it claimed to do in the first instance. There is clearly an overlap in the sense that both provide assurances concerning ownership of a domain name. DNSSEC extends to providing a more complete PKI coverning applications in the sense that the difference between firstname.lastname@example.org and rich.example.com is one of syntax and not semantics.
Also As I understand this RFC4398
http://tools.ietf.org/html/rfc4398 "Storing Certificates in the Domain Name System (DNS)"
concerns using DNS for storing, authenticating and providing certificates for the purpose of applications other than DNS.
IP adress anyone?
Fast, effective, costless solution. Of course there's no money in it for the security guys, so they push DNSSEC instead... administered by the US gov. Yeah right. How long before half the internet is Arkansased? (China, Iran, "adult" sites, non-christian-values abiding domains, gambling sites, domains featuring "inapropriate" language, anyone who doesn't spy on users -or who does but doesn't give the info to the CIA, ...)
@ Hud Dunlap
"This is no difference than the International Standards which are located in France"
The speed of light is located in France?