Is the DNS' security protocol a waste of everyone's time and money?
Net experts argue over value of domain hijack protections
Internet security experts are arguing over whether a key protocol for protecting the internet's naming systems should be killed off.
DNSSEC was developed in 1994 but it wasn't taken seriously until 2008 when a bug in the domain name system's software made it possible for someone to imitate any server – from websites or email hosts – though "cache poisoning."
After a decade of DNSSEC use (and five since it was used to secure the internet's root), internet experts are now questioning whether we should bother with DNSSEC at all, especially given the difficulty and high cost of rolling it out.
In a blog post at the start of the year, Thomas Ptacek, founder of Matasano Security, laid into the protocol saying it was weak, unsafe, incomplete, unnecessary, expensive and "government controlled."
"There are better DNS security proposals circulating already," he argued. "They tend to start at the browser and work their way back to the roots. Support those proposals, and keep DNSSEC code off your servers."
Such has been the backlash to a protocol once held out as the "cornerstone of what security will be in future" that one of its biggest proponents, and the first to implement the protocol as well as offer DNSSEC services, Sweden's .se top-level domain has felt obliged to write a response this month arguing DNSSEC's value.
"We have received many questions concerning the article, so I feel it’s appropriate to respond to the criticism," wrote Anne-Marie Eklund-Löwinder, Head of Security at .SE. But even her strongest words of support comprised of the argument that "DNSSEC has the potential to be a good addition."
So what's going on and why?
DNSSEC is designed to ensure that the notoriously insecure domain name system can guarantee some level of authority, i.e. ensure that a server you are communicating with is what it claims to be.
The protocol was developed a long time ago but because of the technical complexity and cost of introducing it, it was largely ignored until researcher Dan Kaminsky found a dangerous bug that made it suddenly popular.
The problem, as Ptacek goes to some lengths to outline in his provocative article, is that DNSSEC only makes attacks a little harder to carry out. It doesn't solve the issue, and if security is achieved through, for example, digital certificates, not only would that be safer but it would make any DNSSEC additions worthless.
What's more, DNSSEC uses outdated crypto methods, and could provide a dangerous entry point for government snooping. The answer, Ptacek argues, is to just get rid of DNSSEC, and focus instead on better systems for security such as "key pinning" which pulls trust away from a central authority and leaves it with individual domain operators. "Central authorities can’t solve the Internet trust problem. Central authorities are the Internet trust problem," he argues.
In the light of the Snowden revelations of mass online surveillance by the NSA, including many well-resourced and determined efforts to undermine security efforts, Ptacek also raises concerns that DNSSEC could be used to carry out surveillance and interception of global internet traffic.
DNSSEC and a related effort to verify digital certificates through DNSSEC called DANE (DNS-based Authentication of Named Entities) could lead to people unwittingly handing over their data to any government that has authority over particular top-level domains.
Eklund-Löwinder dismisses that claim of government surveillance as "more a sudden case of paranoia than the results of a relevant and reasonable analysis," and seeks to outline the benefits of DNSSEC.
She argues instead that while DNSSEC does not stop security problems, it does make things a little harder and that is a good goal in itself.
Both Ptacek and Eklund-Löwinder agree on one thing: certificate authorities (CA) do not provide an adequate level of trust and security. "In recent years there have been many, very serious attacks on certificates and a number of large certificate authorities, " she writes. "Therefore, there is reason to think about how one can best solve the problems that exist. We are talking about traditional security. The damage control at the CAs that have been hit by successful attacks has been varied. Some of the affected certificate authorities also acted both slowly and inadequately when it comes to conveying information to its customers and the outside world. They have simply demonstrated a lacking crisis management."
Eklund-Löwinder sees the solution in using DNSSEC through the DANE program to verify certificates themselves have not been compromised. Ptacek is opposed to DANE and thinks that extra level of verification needs to come from the individual user and/or domain operator.
One thing Eklund-Löwinder also points out is that DNSSEC does not require additional code - which in itself only offers possible future security holes.
Ptacek notes however that DNSSEC is very far from perfect. There is a webpage that tracks DNSSEC failures and outages – and there are many examples.
So in which direction will the internet community go? Toward DNSSEC or away from it? It's too early to tell, but with every one of the 1,000+ new generic top-level domain names obliged to implement DNSSEC as part of their contract with domain overseer ICANN, it looks as though if there are significant problems with DNSSEC that they are going to get a very big public airing in the next few years. ®