DNSSEC Doesn’t Mitigate All DNS Threats

By: Carolyn Duffy Marsan

Date: October 1, 2010

line break image

Even as deployment of Domain Name System Security Extensions (DNSSEC) is gaining momentum across the Internet, many threats to the DNS remain, according to a panel discussion sponsored by the Internet Society in conjunction with the IETF meeting in Maastricht, Netherlands, in July 2010.

Among the most serious of the threats is the amount of additional information that new protocols such as DNSSEC are pushing through the DNS as well as add-on functionality that Internet engineers want to append to the DNS now that the system is more secure.

The panelists—all of them DNS experts—expressed their pleasure about the summer 2010 deployment of DNSSEC on the root servers: top-level domains, such as .org, and country-code top-level domains, such as Sweden’s .se.

“With DNSSEC, we changed the maintenance on the engine of a plane in flight—and with no noticeable disruption,” said Danny McPherson, who leads VeriSign Labs’ research in network security and availability. He pointed out what a major accomplishment this was given that VeriSign alone handles up to 60 billion DNS queries in a single day.

“I’m also sort of impressed and surprised that we managed to add DNSSEC without any gaps so that there was nothing to write about. Nothing happened, and that’s a good thing,” said Patrik Fältström, a distinguished consulting engineer with Cisco Systems.

Despite the promise of DNSSEC, Danny pointed out, DNSSEC addresses only one aspect of information security for the DNS: integrity. He added that DNSSEC neither addresses the confidentiality of the information inside the DNS nor fixes availability issues.

All it takes is a user to have his password with his domain name registrar compromised for the DNS to be infiltrated—even with DNSSEC deployed from end to end. “If any piece of the DNS chain is compromised, everything else in the system is useless,” Danny said.

Patrik warned that Internet engineers might be trusting DNS too much these days, now that DNSSEC is being deployed. For example, they may want to store large blocks of data in the DNS or add new services that would be better off as separate services that point to the DNS, he argued. “The risk is that we’re trusting the data we get and we bootstrap and jump into other protocols and rely on the data to be absolutely 100 percent correct, when the reality with DNSSEC is that it solves only the integrity part of DNS,” Patrik said. “I’m a little nervous that DNSSEC makes it interesting to add a little too much to DNS.”

Barry Leiba, Internet standards manager at Huawei Technologies, said the reliability and ubiquity of DNS are the reasons Internet engineers have used them for add-on security protocols such as DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework), and Sender ID. “A lot of these protocols have the common goal of associating a domain securely with an e-mail message, and they have a common mechanism for putting that information in DNS,” Barry said. “I know there are companies that are concerned about whether the people who manage their DNS will get all of these other records right and what the change control will be. So there is an administrative issue. But from a deployment perspective, [DNS] has made things like SPF and DKIM very easy to deploy.”

Lars-Johan Liman, a senior systems specialist at Netnod/Autonomica, pointed out that the DNS is more complex than many Internet engineers realize and that many applications stop working if DNS stops working. “DNS is a small idea that has scaled fantastically,” Lars-Johan said. “It was well designed to carry lots of information, and it will continue to do so for a long time. But it poses a few restrictions on what you can do. DNS is a hierarchy; I’m a bit worried about shifting the name space and flattening it too much because that does lead to operational problems.”

Lars-Johan predicted that the Internet will need additional look-up mechanisms rather than relying on DNS alone to transfer bulk data. “DNS will take us far, but it doesn’t cover all the needs we have,” he said.

Despite the deployment of DNSSEC, the DNS will remain a prime target for hackers because it enables so many applications, panelists warned. “The hierarchy and the massively distributed nature of DNS are one thing, but it’s still prone to systemic attacks,” Danny said, pointing out that the many safeguards that are in place won’t prevent surgical strikes such as localized DDoS (distributed denial of service) or IP (Internet Protocol) address-spoofing attacks.

“DNSSEC is a huge, huge benchmark for us, and I think it’s great,” Danny said. “But we’ve still got a long way to go to provide protection in the network layer of the infrastructure. Besides DNSSEC, network routing and network-layer security are top of mind for me.”

When the panelists were done speaking, audience members questioned those experts about whether it was time for the IETF to begin a DNS Next Generation working group. The panelists, however, were not in favor of a big project to rewrite DNS on a par with the creation of IPv6 to replace IPv4, because it has taken so long for that upgrade to occur.

“I have visions of smaller, nimbler DNS-like protocols that will do very specific things and help locate other services, possibly with a different hierarchy—or not,” Lars-Johan said. “I think we need to look at other types of services for retrieving data.”

This article was posted on 31 January 2011