Failing to secure DNS is 'savage ignorance': Geoff Huston

Geoff Huston is the chief scientist at the Asia-Pacific Network Information Centre (APNIC). He's got a message for organisations that haven't secured their domains with DNSSEC, the cryptographically secured version of the domain name system (DNS) protocol.

"I think it's pathetic," Huston said.

"I find it really strange that these folk have invested time, money, and attention in their web presence, and kind of go: 'Ah the DNS, that's just rubbish.' It's not. DNS is everything."

Huston was speaking on Tuesday at the Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT), held in conjunction with the APNIC conference in Ho Chi Minh City, Vietnam.

He's got a point.

Not only has the DNS become the standard but lazy way to serve out domain-related information for other purposes and protocols, DNSSEC is now relatively easy to implement.

"These days, if you have a problem, DNS will solve it. It doesn't matter what your problem is, the DNS is magic," Huston said.

DNS magic is being deployed for everything from the SPF and DKIM records used to help prevent spam, to the records used by Google and others to demonstrate that systems administrators are legitimately in control of the domains they're trying to affect.

"So we kind of need the DNS to be authentic, complete, and current. It must not lie," Huston said.

"You might be asking the DNS: 'Is that certificate about Commonwealth Bank from Symantec real or not?' That's a really good question to ask the DNS, and it'd be good if you could trust the answer."

DNSSEC is designed to address that problem. Domain owners use cryptographic keys to sign their DNS records as authentic, and the zone operators further up the food chain authenticate those keys with their own key-signing keys.

"Think about it like blockchain, because it's sexy to say the word 'blockchain'," Huston said.

"In some ways it is a lot like blockchain, but it doesn't rely on the wisdom, or stupidity, of crowds. This is a security system that is anchored. There is one point that everybody trusts, and it's not a crowd, it's the key-signing key of root [the topmost level of the DNS]."

Implementing DNSSEC hasn't always been easy, but that's changing, according to Cricket Liu, chief DNS architect at Infoblox and author of the standard textbook "DNS and BIND" and others.

"It is very difficult to understand in total how the whole system is supposed to work. Signing, the validation, all of the new administrative processes that it introduces. It's been a big barrier to its widespread adoption," Liu told ZDNet at the RSA Conference in San Francisco last month.

In the fourth edition of "DNS and BIND", it was a 12-step command-line process to generate and sign DNSSEC keys, some 25 pages of material.

Now, in DNS management tools from Infoblox and other vendors, it's point-and-click.

Huston said that these days there's no excuse not to use DNSSEC with signed, interlocking keys -- and he harangued APRICOT attendees on this point.

"It's important that the real message is coming through the DNS. Sign the bloody stuff. It's not hard. There are kits around to do it in an afternoon in terms of understanding the process, and then it just works," he said.

"You know I kind of wonder, when folk invest millions of dollars in their web presence, all this marketing, all this effort, and they invest bugger all in their DNS. They don't even care that someone is able to intercept and manipulate and play with you. Is this savage ignorance? I guess so."

Disclosure: Stilgherrian travelled to Ho Chi Minh City as a guest of APNIC, and to San Francisco as a guest of RSA Security LLC.