Feeds

Will DNSSEC kill your internet?

5 May will sort the men from the boys

Remote control for virtualized desktops

Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol.

While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected.

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.

Why? Here comes the science bit. Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes.

Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, said his biggest fear is for large enterprises with sprawling networks.

“There are a lot of firewalls and other middleware boxes out there that make the assumption that there are only small UDP packets,” he said. “Several times a month we receive reports of problems like this.”

Sometimes these devices will failover to TCP, which drains bandwidth and hardware resources because it uses handshaking to set up connections.

Mitchell said he's also concerned about ISPs that rewrite DNS answers as they pass across their networks. Some ISPs do this to redirect their customers to cash-making search pages when they're trying to find a non-existent website. In China, ISPs use the same method to censor websites.

“They're doing a lot of fiddling along the way and it's by no means clear to me that the fiddling is aware of DNSSEC,” he said.

The solution to the problem is Extension Mechanisms for DNS, EDNS0, a decade-old IETF standard that is not yet universally implemented. Mitchell said ISPs and enterprises need to ensure that their gear can handle EDNS0 to avoid problems with the transition.

You can test whether your current DNS resolver is capable of handling DNSSEC, by following the instructions at DNS-OARC or running a Java app that can be downloaded from RIPE.

Home users using residential hubs should not panic if these tests return scary results. According to Mitchell, it currently only matters that the ISP supports DNSSEC. A dodgy Netgear box is not enough to kill your internet... cross fingers. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Ofcom snatches 700MHz off digital telly, hands it to mobile data providers
Hungry mobe'n'slab-waving Blighty swallows spectrum
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.