DNS creator: It's time to add security

DNS creator: It's time to add security

Summary: Paul Mockapetris has called on ISPs to boost Domain Name System security following the exposure of a fundamental flaw

TOPICS: Security

The man who authored the Domain Name System architecture has called on internet service providers to secure it on their networks.

Following the publication of a fundamental flaw in the Domain Name System (DNS) by security researcher Dan Kaminsky, DNS inventor Paul Mockapetris told ZDNet.co.uk on Thursday that internet service providers (ISPs) should "take action" and "add more security to DNS".

Mockapetris said that, when he and his team created DNS in 1983, they had made a "fundamental error" in placing more emphasis on getting DNS off the ground than on building in security from the start. "Times have changed," said Mockapetris. "Originally security wasn't built in. It was a simpler time."

The DNS author said people had used transaction identifiers, which were not intended as a security mechanism, to protect against attack. Mockapetris added that Dan Kaminsky's DNS flaw was a variant of attacks that had been in existence for years.

"The attack was a new virulent strain of an old attack; it acts more quickly," said Mockapetris. "What Dan [Kaminsky] did was to attack more speedily. If people were more conscientious about cleaning their caches [the attack could be mitigated]".

Many vendors were using port randomisation to mitigate the effects of Kaminsky's flaw, according to Mockapetris. "Randomisation is still a probabilistic defence," he said. "A simple explanation is that it's like playing Russian roulette. We need to figure out a way of taking the bullet out of the gun."

When Kaminsky's flaw was revealed last week, Cambridge University security expert Richard Clayton told ZDNet.co.uk that one way to "fix" the situation was for people to start using the encrypted DNSSEC protocol — but they would have to overcome both technological and political issues to make that solution work.

"Not everybody is ready for DNSSEC," said Clayton. "DNSSEC is signed with a cryptographic key, which is great. For example, .com gives the signing key for .co.uk. The question is: who establishes the chain of trust? The American government thinks it should, but the Chinese government disagrees."

Mockapetris agreed that DNSSEC was "not the easiest thing" to implement. "DNSSEC does provide security, but people haven't worked out the administration," he said.

Nominet, the UK registry responsible for eventually signing the route for DNSSEC for the .uk domain, told ZDNet.co.uk that it had the technology and was working towards a resolution to the political issues.

"On the political side, the key issue is signing the route," said Emily Taylor, Nominet's director of legal and policy. "You very quickly get into political territory. Frankly, this is about updating the route by the Internet Assigned Numbers Authority [IANA], and who should be responsible for creating and maintaining the route."

Taylor said that the implementation of DNSSEC would require the collaboration of multiple parties.

"Clearly this is a debate that needs to happen," said Taylor. "It would take agreement on signing the route, implementing the route, then registries would sign their own zones."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion