The Register® — Biting the hand that feeds IT

Feeds

Boffins: SOPA breaks DNSSEC, and won’t work anyway

Putting a man-in-the-middle into an end-to-end protocol is dumb

By Richard Chirgwin, 20th November 2011
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

It isn’t actually news as such: while the DoE’s own Sandia Labs has warned that the notorious Stop Online Piracy Act is a threat to the deployment of secure DNS – DNSSEC to its friends – the fragility of the protocol has been discussed for ages.

The problem is this: an end-to-end protocol is the simplest way to ensure that a browsing session isn’t hijacked along the way by a fake DNS record. Sandia’s letter is, in that sense, merely reiterating what’s already known.

DNSSEC proposes just such an end-to-end protocol. In today’s insecure world, the ordinary end user has very little opportunity to verify that foo.bar really is 192.168.0.10 rather than 192.168.1.10* – which opens the way to DNS hijacking and makes DNSSEC necessary.

The secured version of DNS performs the same basic function of DNS: it’s still a distributed, queryable database that allows humans to put http://www.theregister.co.uk/ into their browser bar, and get directed to 92.52.96.89 to actually get the content. But it mandates that the domain record used for that resolution is cryptographically signed.

As this paper, cited by Sandia, puts it:

“When implemented end-to-end between authoritative nameservers and requesting applications, DNSSEC prevents man-in-the-middle attacks on DNS queries by allowing for provable authenticity of DNS records and provable inauthenticity of forged data. This secure authentication is critical for combatting the distribution of malware and other problematic Internet behavior.

"Authentication flaws, including in the DNS, expose personal information, credit card data, e-mails, documents, stock data, and other sensitive information, and represent one of the primary techniques by which hackers break into and harm American assets.”

The paper was published in May 2011, in response to a different piece of mandated DNS poisoning stupidity, and is entitled Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill.

“By mandating redirection, PROTECT IP would require and legitimize the very behavior DNSSEC is designed to detect and suppress,” the paper states. “[A] DNSSEC-enabled browser or other application cannot accept an unsigned response; doing so would defeat the purpose of secure DNS. Consistent with DNSSEC, the nameserver charged with retrieving responses to a user’s DNSSEC queries cannot sign any alternate response in any manner that would enable it to validate a query.”

(It’s worth noting that this latter statement only holds true in a world that’s completely adopted DNSSEC; as Sandia points out, when the majority of assets are still unsigned, browsers will still accept unsigned responses.)

In other words, the fools sockpuppets legislators proposing SOPA’s DNS-interference mechanism have done so when the impact of their thought-bubble was already known.

Moreover, as was pointed out to The Register by Australian Internet luminary Geoff Huston, DNSSEC is designed such that if a fake record is returned – for example, if a US court orders that infringing-site.com returns any address other than the authoritative record – it’s detectable.

“The NXDOMAIN response is a visible fake response in a DNSSEC world. And if you chose to block by non-response, then the DNSSEC NSEC records will again show that this is a lie,” he told us in an e-mail.

Even worse, Huston said, legislation like SOPA could encourage the formation of “darknet” alternative DNSs.

“This will not switch off the content, but will provide impetus for the formation of ‘alternate’ DNS worlds which include the blocked domain names,” he wrote.

“To what extent these alternative worlds will then be populated by ‘fake’ banks, ‘fake’ governments and all other kinds of attempts at trickery is an open question, but it is unlikely that the darker alternate DNS world will be any better than what we have today. So in effect, they argue, these attempts to suppress bad content through mucking around with the DNS encourages other forms of mucking around with the DNS, and that’s not a good thing.”

Nor will the measures proposed in SOPA actually block the content, since users will still be able to locate the “banned” resource directly using the IP address, by running a local resolver, using a foreign resolver, or by editing their hosts file.

As Sandia states, “Even non-technical users could learn to bypass filtering provisions.” ®

*Yes, I know 192.168.nnn.nnn is reserved. It’s an example. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (12)
Highly Rated
Anonymous Coward
Anonymous Coward

Idiots, the lot of them

Politicians, that is

4
0
theblackhand

192.168.nnn.nnn

I'd like to acknowledge the small victory achieved by the pedants for today's footnote...

3
0
Anonymous Coward
Anonymous Coward
Reply Icon

er, no.

if you sign a zone, *you* have its dnssec keys, not verisign. the only action your parent zone can do - verisign in the case of .com or .net - is delete your delegation or the info that says it's signed. which they could do anyway. this would not be undetectable. in fact it would be glaringly obvious. people usually notice when names in the dns fail to resolve.

as for "the one key to rule them all", you've got that utterly wrong too.

the only thing the parent zone could do would be to remove the child's delegation or delete the info that says the delegation is signed. that could not go unnoticed. if the root tried to do that to a tld, it would be very, very far from undetectable. it would also create an almighty shit-storm because it would destabilise the security and stability of the internet, inferfere in matters of national sovereignty, force a united nations organisation to "take control" of the root, etc, etc.

you clearly don't understand how the root zone is signed either. no single entity has access to the root zone's key signing key: the one key that really does rule them all. the system and processes were intentionally designed that way. access to this key requires a group of trusted community representatives to gather in one place so that the key can be assembled. [the details are more complicated than that and would take too long to explain here.] the upshot of this is iana or icann would need these trusted community representatives to co-operate with any court orders.

the names and nationalities of these representatives is published. the majority of them are not american citizens.

i think you need to get yourself a new tin-foil hat 'cos the one you're wearing is obviously defective.

3
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17