(Page 2 of 2)
DNSSEC is about creating a "chain of trust," adds Ram Mohan, CTO of Afilias, which has been working to help the Public Interest Registry handle its deployment. There are many places where DNSSEC must be switched on in order for the chain of trust to flow unbroken from the user to a website. Once a top-level domain (such as .org or .com) implements DNSSEC, any website under that domain can choose to turn on DNSSEC as well, which is an important link in the chain. Since Internet service providers such as Comcast have started supporting DNSSEC, Mohan says, it's becoming possible for some website visits to fall largely under the protection of DNSSEC.
Paul Vixie, president of the Internet Systems Consortium, which maintains BIND, the software most commonly used to process DNS messages, expects the move toward DNSSEC to snowball. "With .gov and .org signed, there's finally a market for DNSSEC technology and services," he says. "Now that some others are implementing DNSSEC, many others will want to be in the business of providing DNSSEC solutions, and that will in turn make it possible for a lot of fence-sitters to finally climb down and join us."
Kaminsky himself was initially neutral on DNSSEC as a possible solution to the flaw that he discovered with DNS. He now sees DNSSEC as a good solution, but cautions that work still needs to be done to help it scale up. Most important, he says: other root domains, which are at the core of all DNS transactions, need to use DNSSEC. Although DNS was never designed to be at the heart of authentication on the Internet, "it is, and it's time we start treating it that way," Kaminsky adds.
Mohan says that he's hopeful that more domains will implement DNSSEC soon. "It's about damn time that DNS got more secure," he says. "The integrity of DNS traffic is starting to be questioned with the advent of phishing and botnets and stuff like that. Here is a concrete thing that can be done that is proven to eliminate a clear problem."
Secure Internet-address-lookup technology readied for .net and .com domains.
A Web browser loophole could make it easier for crooks to scam the unwary.
In the first Austin Powers movie, there's a great line describing Frau Farbissna as "the founder of the militant wing of the Salvation Army." The centerpiece of that joke was that the Salvation Army was designed to serve peace, not war or aggression - hence the irony in terms. Similarly, DNSSEC is part of the larger proposition called "Internet security" which is basically an attempt to bolt on something safe to something that was established as a system w/o security or borders.
While DNSSEC improves the current model, it's still part of what many experts call "security theatre" because it's paraded around as the big cure for of online security when it's really only a small piece of a very complicated puzzle. Many studies show that users don't check for a lock, let alone inspect the details of a certificate. So really, does DNSSEC really add significant change for the average user? Given the pervasiveness of malware, I don't see much reason to worry about the integrity of websites - I've got a much bigger challenge keeping my own computer safe.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
dtutelman
117 Comments
More trusting times
"The key to the DNS flaw discovered last year is that the protocol was designed during a more trusting time and does not bother to authenticate information."
Most of the protocols underlying the Internet were designed in more trusting times. They are based on ARPAnet, which was conceived in 1969, and many of the principal protocols were operational by the mid-1970s. (IP, TCP, DNS, ICMP, SMTP, FTP, etc)
While ARPA was a defense agency, the network was designed with almost no concern for security. ARPAnet was intended to be a closed community, a collection of academic and think-tank defense contractors. It was years before the traffic and the interconnectivity with other networks became sufficient to challenge the original concept and exploit its weaknesses.
And, in surprisingly large part, the flaws remain. A few reasons:
(1) The net is big enough that it takes great effort to change any well-entrenched protocol.
(2) As far as security is concerned, it can be enforced end-to-end at the application level. (This works for security, but not very well for traffic.)
That's how we got where we are today.
DaveT
Reply