Notify: The Latest in DNS News
September 2008
In the past three months the topic of DNS security has been more in
the news than in the entire previous three years. For this reason, we
thought it would be appropriate to devote this newsletter to what is
happening to improve DNS security around the world. Enjoy.
In this issue:
- The Kaminsky Vulnerability
- Secure64 Automated DNSSEC Solution
- OMB Orders DNSSEC Deployment
- Why Deploy DNSSEC
- Deploying DNSSEC Workshop
The Kaminsky Vulnerability: What Have We Learned?
It has only been a few months since Dan Kaminsky alerted the world to the fundamental security problem in the DNS, and triggered one of the largest, worldwide patching efforts in history. Since then, Dan shared the details and the implications of the attack at Black Hat conference in early August.
So what did we learn from Dan’s presentation? Here are several key takeaways from Dan’s talk and his subsequent communications on the subject: Compromising the DNS is a big deal. Not only do our email communications and web site visits depend on a trustworthy DNS, but the very technologies that we use to secure these communications, like SSL and VPN, also fundamentally depend on the DNS. Compromise the DNS and you compromise everything.
The patch is a temporary fix. Randomizing the source port addresses only makes it more difficult for an attacker to succeed with a cache poisoning attack, it doesn’t prevent one. But attackers will get smarter over time. In fact, only a few days after Dan presented the details of his attack at the Black Hat conference, a Russian physicist had already demonstrated a successful cache poisoning attack on a patched DNS server.
DNSSEC is the permanent fix to this problem. DNS experts including Paul Vixie, Paul Mockapetris, Cricket Liu and Olaf Kolkman have all stated that the only permanent solution to the cache poisoning problem is to deploy DNSSEC. DNSSEC guarantees the authenticity of query responses, allowing recursive name servers to know with certainty if they have the correct response or not. This certainty completely eliminates the threat of cache poisoning attacks, both now and in the future.
Secure64 Announces Automated DNSSEC Solutions
On July 30, 2008, Secure64 announced Secure64 DNS Signer, a product that dramatically simplifies implementation and maintenance of DNSSEC. Secure64 DNS Signer addresses the main obstacles to the deployment of DNSSEC, including the need for simplicity, security, auditability and scalability. More details on Secure64 DNS Signer are available on our website.
OMB Orders US Federal Agencies to Deploy DNSSEC
In a memo dated August 22, the Office of Management and Budget ordered all U.S. Government agencies to develop a plan of action to deploy DNSSEC by December 2009. This mandate applies to all federal information systems, not just the medium and high impact information systems previously recommended. In addition, the memo outlined the government’s commitment to sign the .gov zone by January 2009.
These steps not only reinforce the government’s leadership role in securing the DNS within the US critical infrastructure, they also serve as a catalyst for deployment of DNSSEC worldwide.
Why Deploy DNSSEC?
Five authors that have been closely involved in educating, developing and deploying DNSSEC solutions have weighed in on the question: "Why deploy DNSSEC?" Read their thought-provoking articles here.Deploying DNSSEC: A Hands-on Workshop
The National Institute of Standards and Technology (NIST) and Secure64 are sponsoring two one-day, hands-on workshops on deploying DNSSEC within US Federal Government agencies. Here is the abstract for the workshops:Since December 2007, FISMA policies and NIST technical guidelines have recommended deployment of DNSSEC as part of a secure DNS infrastructure. In August 2008, the Office of Management and Budget updated its policy, requiring all agencies to deploy DNSSEC by December 2009.
NIST and Secure64 Software Corporation, in collaboration with DHS and the dnssec-deployment initiative, are hosting two hands-on, DNS security workshops for US Government DNS operators. The workshops are aimed to help US Government network operators understand, pilot and deploy DNSSEC technologies in accordance with these policies and guidelines.
Workshop attendees will learn:
- What DNSSEC does and how it works
- How FISMA controls relate to DNSSEC
- How to develop essential DNSSEC deployment policies and practices
- How to use open source technologies and tools to deploy DNSSEC
- What NIST has learned from their own deployment experience
-
How automated signing products can greatly accelerate and simplify deployment
DNS is a serious target and could put your company at risk. Let DNSstuff help you properly configure, manage and monitor your DNS. We pinpoint issues and show you how to fix them. Check your DNS Health today. |
