Experts see DNSSEC deployments gaining traction

By Robert Westervelt, News Editor 10 Mar 2010 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

It's been a long road for DNSSEC, but experts who are monitoring deployments of the DNS layer authentication technology across public and private top-level domains (TLDs) remain optimistic that it will gain traction later this year.

Domain name server security extensions will help block nasty DNS cache poisoning attacks, which have been targeting banks and individuals in recent years. A cybercriminal can use weaknesses in DNS to redirect domains, sending people to attack websites that serve up malware and drain bank accounts. But in interviews with SearchSecurity.com, experts said the trust gained through DNSSEC technology, which uses encryption keys to verify the identity and origin of domain names, could enable a whole new line of security services and products.

"We want security to work as reliably and invisibly as connectivity does and DNSSEC is the way to do that," said Dan Kaminsky, director of penetration testing services for Seattle, Wash.-based IO Active Inc. "I...

Tags: Network Protocols and Security,  Government IT Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Protocols and Security ICANN announces DNSSEC deployment to root Internet servers Black Hat: Researchers poke holes in HTTPS, SSL Web browser security Black Hat 2010: Study tests SSL protocol use, finds SSL errors Smart grid system protection: SCADA security will challenge Feds Free port scan: How to use Angry IP scanner VeriSign on DNSSEC support VeriSign on DNSSEC support Joining security information management systems with identity management systems boosts security Can secure FTP services protect sensitive data from hackers? Security architects fear savvy botnet attacks, IPv6 security issues Government IT Security Management Black Hat: Poor SCADA systems security 'like a ticking time bomb' Smart grid security will require risk management Armorize's Huang cancels Black Hat China talk Smart grid system protection: SCADA security will challenge Feds Perimeter defenses deemed ineffective against modern security threats USB thumb drive security best practices spelled out by NIST Attackers can take out critical infrastructure, but profit lies elsewhere, researcher says Next Cyberstorm exercise to stress international cooperation on security Making USB thumb drives secure enough for government work Federal agencies scrambling on DNSSEC implementation Government IT Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 5 terms you need to know before you employ VoIP  (SearchSecurity.com) digest authentication  (SearchSecurity.com) IGP  (SearchSecurity.com) IP spoofing  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) smurfing  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

n a perfect world we could have strong security and strong authentication, not just between people in our own group, but between ourselves and people in other groups, companies and countries. That level of authentication is not able to be delivered today."

Many experts credit Kaminsky with helping provide the momentum needed to get DNSSEC supported by the organizations that administer the TLDs. A potentially dangerous DNS algorithm weakness that he discovered in 2008, helped raise awareness about DNS weaknesses.

"If we had deployed DNSSEC many, many years ago this wouldn't necessarily had been as much of a problem as it was," Kaminsky said. "We have a comprehensive flaw in Internet security today where as soon as you need to figure out trust across organizational boundaries, everything grounds to a halt."

The fix to Kaminsky's bug increased a 16-bit DNS transaction ID, set in 1983 so the odds of a successful malicious cache poisoning response increased from one out of 65,000 attempts to one out of about 2 billion attempts. Kaminsky calls the fix a Band-Aid approach. As network traffic gets faster, it's easier for attackers to beat the odds, he said.

Once DNSSEC is in full use, Kaminsky said users shouldn't notice that digital signatures and encryption are in use in the background. When a website is called up, the DNS server will check for a valid signature and public encryption key to verify the website comes from a valid location.

The technology has had to overcome a lot of hurdles over the last decade. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization overseeing the deployment across the root DNS zone, has ironed out many of the disagreements over how it will be deployed and how the encryption keys would be administered. Over the next several months, DNSSEC on the root zone is being deployed, with the expectation that it will be fully validated by July. The firms that administer the top-level domains are also actively testing and rolling out DNSSEC. The federal government appears to be on track with the .gov domains and VeriSign reports that it too is testing and upgrading its systems to handle the increased bandwidth that accompanies the technology. It said it was on target to have .com and .net TLDs signed and verified by the first half of 2011.

"Once the root is signed there is potentially that one trust anchor, the root key, which needs to be configured and managed rather than having hundreds and thousands of keys," said DNS expert Scott Rose of the National Institute of Standards and Technology (NIST). "That is all you would need to start the DNS chain of authentication all the way down to the domain name that you were looking for."

Experts say that another sign that the technology is gaining traction is the news that the first large ISP, Comcast Corp., is testing and readying its domain name servers in anticipation of supporting DNSSEC once it is fully deployed across the TLDs. More ISPs should follow once the root zone is verified.

Experts learn from federal DNSSEC deployments
Rose is overseeing the Security Naming Infrastructure Pilot program, a project that helps federal agencies test their deployments and correct any technical problems encountered by network administrators. DNSSEC has been a priority for many agencies since the federal government set a January 2009 deadline to have all outward facing DNS zones fully DNSSEC capable. The Federal Information Security Management Act (FISMA) has set a deadline for fully deployed DNSSEC in the federal government by September, Rose said.

So far there have been a number of technical errors and configuration issues, but Rose said that deployments have been fairly smooth. Most technical issues can be quickly resolved, he said. For example, validation failures occur if the network administrator changes the keys but forgets to clear the system caches, Rose said.

Costs associated with deployments are also being reigned in, he said. Some older domain servers must be replaced because they can't handle the increased bandwidth and encryption algorithms used to resolve domain names. Some firewalls will require configuration changes or software upgrades, Rose said. Other federal agencies are budgeting more for DNSSEC, using the technology deployment as an opportunity to modernize the entire network, he said.

Tools that address the configuration issues that could occur during a DNSSEC deployment are also getting better, according to Kaminsky. Some vendors are using the .gov deployment as a blue print to develop tools and methods to automate the process, which will later be used in the private sector, Kaminsky said.

"We're seeing a steady push towards automation, ease of use and a reduction of the cost of deployment," Kaminsky said. "There are new products coming out every day that make this much more realistic to deploy for real world large scale networks."

Vendors see opportunity in enterprise upgrades
Although most experts say many companies shouldn't have to endure any costly rip and replace projects, some large enterprises may be dusting off their old domain servers and determining a need for new equipment, said DNS expert Cricket Liu, vice president of architecture at Santa Clara, Calif.-based Infoblox Inc., a DNS appliance vendor. Liu said some organizations will want to gain more visibility into their systems by having a graphical user interface to monitor and manage DNS changes, rather than using a command line interface.

"You don't want to have to demand a super high level of DNSSEC to administer a signed zone," Liu said. "The baseline tools that you get with the most common implementations like BIND and Microsoft DNS server are still command line based."

Many people don't administer name servers from the command line anymore, Liu said, and some large enterprises considering DNSSEC deployments could be overwhelmed by the complexity of the available tools. Administering DNSSEC can also be an issue. Every time a zone changes or if a zone expires, it must be re-signed. Keys to zones have to be replaced periodically for security reasons.

Enterprises that outsource management of their authoritative name servers will likely have an easier time supporting the technology. Larger companies that run their own internal DNS infrastructure -- both recursive and authoritative DNS -- may need a team of experts to upgrade systems to support DNSSEC, Liu said. Infoblox is teaming up with Seattle-based F5 Networks Inc., an appliance vendor that provides load balancing features, to handle network upgrades at large enterprises. Other companies lining up to provide DNSSEC services include Afilias Ltd., Dynamic Network Services Inc., NeuStar, Inc., and Secure64 Software Corp.

Nathan Meyer, product manager at F5, said the benefits in upgrading systems during the deployment will be new systems that provide policy automation and key management. For example, Meyer said F5, a mid-level enterprise has over 100 different zones making the process of managing them a fairly daunting task.

"The task of managing each zone individually with individual keys and maintaining all the roll over periods would be a very daunting task," Meyer said.