DNS creator: It's time to add security
The man who authored the Domain Name System architecture has called on internet service providers to secure it on their networks.
Following the publication of a fundamental flaw in the Domain Name System (DNS) by security researcher Dan Kaminsky, DNS inventor Paul Mockapetris told ZDNet.co.uk on Thursday that internet service providers (ISPs) should "take action" and "add more security to DNS".
Mockapetris said that, when he and his team created DNS in 1983, they had made a "fundamental error" in placing more emphasis on getting DNS off the ground than on building in security from the start. "Times have changed," said Mockapetris. "Originally security wasn't built in. It was a simpler time."
The DNS author said people had used transaction identifiers, which were not intended as a security mechanism, to protect against attack. Mockapetris added that Dan Kaminsky's DNS flaw was a variant of attacks that had been in existence for years.
"The attack was a new virulent strain of an old attack; it acts more quickly," said Mockapetris. "What Dan [Kaminsky] did was to attack more speedily. If people were more conscientious about cleaning their caches [the attack could be mitigated]".
Many vendors were using port randomisation to mitigate the effects of Kaminsky's flaw, according to Mockapetris. "Randomisation is still a probabilistic defence," he said. "A simple explanation is that it's like playing Russian roulette. We need to figure out a way of taking the bullet out of the gun."
When Kaminsky's flaw was revealed last week, Cambridge University security expert Richard Clayton told ZDNet.co.uk that one way to "fix" the situation was for people to start using the encrypted DNSSEC protocol — but they would have to overcome both technological and political issues to make that solution work.
"Not everybody is ready for DNSSEC," said Clayton. "DNSSEC is signed with a cryptographic key, which is great. For example, .com gives the signing key for .co.uk. The question is: who establishes the chain of trust? The American government thinks it should, but the Chinese government disagrees."
Mockapetris agreed that DNSSEC was "not the easiest thing" to implement. "DNSSEC does provide security, but people haven't worked out the administration," he said.
Nominet, the UK registry responsible for eventually signing the route for DNSSEC for the .uk domain, told ZDNet.co.uk that it had the technology and was working towards a resolution to the political issues.
"On the political side, the key issue is signing the route," said Emily Taylor, Nominet's director of legal and policy. "You very quickly get into political territory. Frankly, this is about updating the route by the Internet Assigned Numbers Authority [IANA], and who should be responsible for creating and maintaining the route."
Taylor said that the implementation of DNSSEC would require the collaboration of multiple parties.
"Clearly this is a debate that needs to happen," said Taylor. "It would take agreement on signing the route, implementing the route, then registries would sign their own zones."