Kaminsky interview: DNSSEC addresses cross-organizational trust and security

Network security researcher Dan Kaminsky has had a year to reflect on the impact of the cache poisoning vulnerability he discovered in the Domain Name System (DNS). Kaminsky revealed during last year's Black Hat Briefings a technique that made it relatively easy to exploit the bug and enable an attacker to redirect website requests to malicious sites. In the time since, Kaminsky has become an advocate for improving security in DNS, and ultimately, trust on the Internet. One way to do this is with the widespread use of DNSSEC (DNS Security Extensions), which essentially brings PKI to website requests. In this interview, Kaminsky talks about how the implementation of DNSSEC would enable greater security and trust on the Net and provide a platform for the development of new security products and services.

In the year since you went public with the DNS cache poisoning bug, what do you think the impact has been on awareness of DNS' security issues and the movement to deploy DNSSEC on a wide scale?
At the time I was amazed and overjoyed everyone came together to fix and address this problem. A year has done nothing to lesson my happiness that things turned out quite well. The real unifying theme culminating in the recent Obama discussion of cybersecurity is that these problems have to be taken so much more seriously, and the only way we're going to be able to dig selves out of the hole we're in is to ignore old boundaries, limitations and rules, and say we're all in this together; we're all struggling, and ignoring the problem doesn't make it go away.

DNSSEC is interesting not because it fixes DNS. DNSSEC is interesting because it allows us to start addressing core problems we have on the Internet in a systematic and scalable way. The reality is: Trust is not selling across organizational boundaries. We have lots and lots systems that allow companies to authenticate their own people, manage and monitor their own people and interact with their own people. In a world where companies only deal with themselves, that's great. We don't live in that world and we haven't for many years. How does DNSSEC help fix that?
One of the fascinating elements of the Verizon Data Breach Investigations Report is that if there was a hack, 40% of the time it was an implementation flaw, and 60% of the time it was an authentication flaw -- something happened with authentication credentials and everything blew up. At the end day, why do we use passwords? It's the only authentication technology that we have that even remotely works across organizational boundaries, and the only thing that scales today. Our existing ways of doing trust across organizational boundaries don't work. Passwords are failures; certificates that were supposed to replace passwords are not working -- period, end of discussion.

DNS has been doing cross-organizational address management for 25 years; it works great. DNS is the world's largest PKI without the 'K.'All DNSSEC does is add keys. It takes this system that scales wonderfully and has been a success for 25 years, and says our trust problems are cross-organizational, and takes best technology on the Internet for cross-organizational operations and gives it trust. And if we do this right, we'll see every single company with new products and services around the fact that there's one trusted root, and one trusted delegating proven system doing security across organizational boundaries.

It's 2009 and we don't have secure email. When we get DNNSEC, we will be able to build secure email and secure technology up and down the stack and it will scale. How many people bought products that worked great in the lab for a few groups, and once they try to scale it out, oops it doesn't work and they have to shelve it. I'm tired of that happening, tired of systems engineered just enough to make the sale. I want to see systems scale larger than the customers they're sold to. That's the problem with everything being engineered to single-organization boundaries. We don't live in a single-organization universe; everything is potentially huge and boundaries are boring. The idealized corporation is dead. We need this one class of problem to go away. 

Dan Kaminsky on DNS:

Video - Dan Kaminsky on DNS, Web attacks: Noted network security researcher Dan Kaminsky, director of penetration testing at IOActive, shares his research on DNS and Web-based attack techniques

How serious are the deployment and political barriers to DNSSEC?
The nice thing is that we have one fight and that one fight is the root, the DNS root. It's a single fight. Once that single fight is won, it's over. I think there's enough people who said, 'Look if we had done DNSSEC thing, Kaminsky's bug would not have mattered.' They're right. They're not wrong.

The groundwork is done for the root and very large top-level domains need to be signed. Once we get those signed, the market can take over and you're in a situation where a single action a company takes, and all of these products magically can work. You can say, 'As part of deploying this project, deploy DNSSEC on your name servers.' It's a requirement, a one-time thing, and the work amortizes across 100 other projects. That's the thing security hasn't really taken into account; there's not an infinite budget either in time or straight dollars for security. People will deploy insecure solutions if it's too expensive to deploy what is theoretically correct.

DNSSEC has no insignificant costs, but costs can amortize across products that will be policy, compliance and revenue sensitive for the organization. We can have the number of authentication bugs out there, we can eliminate 30% of the hacks Verizon saw. That's huge. There's ROI right there. Right now, we don't have scalable ways to make authentication work cross-organizationally, therefore it costs money. If we fix this problem, money is saved. It's called a business model, it's a good thing. 

People tend to be reactive, and there's a thinking that organizations won't invest in DNSSEC on a large scale unless there is a significant attack on DNS. Are you getting that sense?
I'm just going to keep banging the drum, but I don't think people fully realize DNSSEC is not interesting because of DNS. The lack of DNSSEC is why all these other protocols are broken. That 60% of attacks that happen because of poor authentication -- do you know why authentication was poor? Because it was too expensive do anything better. DNSSEC will enable better authentication technologies; stuff we can't even dream about yet.

Look at how every technology that wants to do something cross-organizationally runs through DNS. Want to send an email cross-organizationally? Use DNS. Want to access another company's website? Use DNS. This is an enabling force. That's why I've changed positions on DNSSEC. How important is it to have the .org and .gov domains signed with DNSSEC?
You need root signed. You need .com signed; bottom line. Right now, .org is more secure than .com., but that is not a situation that can remain true in the long term. [Signing] .com is huge; a major technology challenge to figure out how to sign it. The reality is, a few geeks aside, no one wants to various manage the various hundreds of TLDs out there and keep keys, and do all sorts of custom work. DNS servers really run themselves. Look, you set up a name server, it just goes and goes some more, they're not actively managed things.

In order for DNSSEC to work, it has to be DNS. Let DNS be DNS. I need the ability to say, 'Hey Name server, got some roots, make sure they tell you what the keys are for your TLDs.' No admin sits there managing it; it doesn't scale. In terms being able to use the technology, you need to have the root signed, so cost to an admin to run a DNSSEC-enabled name server is no higher than a non-DNSSEC server. I'd hear it required all this work done as an administrator, and if I don't do the work, my name server goes down and my resolutions are going to die. I have no interest in that; come back when it's as easy to run a DNSSEC server as it is a DNS server. Is it any consolation that at least people are talking about DNS security issues, unlike 18 months ago?
Before last year, it was something nobody took seriously. Afterward, a lot of people justifiably said: 'Hey we told you so. We told you if DNS goes bad, it would be a huge problem.' And remember, a lot of attacks that I said would be possible have been talked about for years and why DNSSEC got funded in the first place.

It's a new world now, the Internet is a huge part of how Western society does business. It's not just for geeks and it hasn't been for several years. It shouldn't be a surprise to see knowledge of the Internet's problems going to the highest levels.

There's a real need for cooperation and the real benefits of cooperation. In terms of sea changes, DNSSEC is something we are going to work hard to implement, but the cooperative attitude and results are what we have today, and it's truly amazing. Everyone should be aware this stuff does work well and does lead to the Internet getting a lot safer.

Dig deeper on Network Protocols and Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close