Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Secure DNS? Not Just Yet


the promise
By using cryptographic signatures that can be validated by others, DNSSEC ensures that hostname address lookups are legitimate, authorized responses.
the players
The IETF developed the DNSSEC standards; the Internet Systems Consortium, the developers of BIND and Microsoft, make up the lion's share of DNS servers in use today; NIST and the DoD are promoting DNSSEC guidelines. Also on board are top-level domain operators like VeriSign for .com and .net; the Internet Infrastructure Foundation, which runs the .se domain; the TLD for Sweden; and nic.pr, which manages Puerto Rico's .pr TLD.

the prospects
Lack of support and no clear driver will hamper deployment schedules. Many point to the U.S. government's Federal Information Security Management Act of 2002 (FISMA) as a leading requirement, however, FISMA applies only to some government agencies and doesn't require the use of DNSSEC.

The domain name system, or DNS, is a distributed database used to resolve host names to IP addresses (and vice versa) and to locate other information sources, like mail servers. It's a highly resilient architecture, and its distributed nature means that portions of the database, or zones, can be managed independently while still presenting a cohesive naming service.

Question is, when you type in a host name, like www.yahoo.com, how do you know the IP address in the response really points to one of Yahoo's servers, and not a rogue?

Answer: You don't. And this is not just theoretical stuff. As we discuss in The Fragility of DNS, in the past year, Symantec's DeepSight system reported 25 vulnerabilities on various DNS servers and resolvers. In fact, there are a number of ways that DNS can be subverted to provide bogus information. An attacker could gain access to the DNS server and change records, or use one of the many publicly available tools to forge a response. He could insert bogus information into a DNS cache, as we've seen with numerous worms and Trojans, or add false information to your computer's hostname table. Many of these attacks are difficult to pull off, and they're often short-lived and relatively easy to detect and correct—for instance, when users start complaining about not being able to access Web sites. Still, while they last, damage can be done.

InformationWeek Reports

  • 1