Steve Goodbarn

It is critical to sign the root server as soon as possible. A signed root will speed adoption of this badly needed improvement in Internet architecture and it will do so at a fraction of the cost internet users endure today in their efforts to protect themselves. It will greatly reduce losses from avoidable malicious activity. Importantly, it provides a trust anchor that is essential for deployment of Internet 2 and cloud computing applications that can achieve needed efficiencies in health care, insurance and government.

The cost to sign the root is trivial, the worldwide benefit huge. All of the technical challenges have been addressed by a worldwide who’s who of very smart people. I can go on and on but others have also made the case: Sign the Root.  

As noted in a recent article in Network World, the Department of Commerce sought comments through November 24, 2008 on signing the root. The memo and comments are posted here: http://www.ntia.doc.gov/DNS/DNSSEC.html. Let’s hope they are listening.

Another holdup is the difficulty in learning DNSSEC and the ongoing cost and risk of operating DNSSEC. Do it yourself DNSSEC requires a relatively high level of technical knowledge. There is a steep learning curve for implementation and probably a half time person for ongoing operations. This is too much for all but the largest organizations and service providers.

There are a lot of technical reasons for this difficulty but in short it is due to cryptographic operations that cannot be done securely while connected to the Internet. Since DNS is connected to the internet and runs 24/7 this is not a trivial problem and so manual operations are required and everyone knows that is another big risk.

My company, Secure64 Software, produces a DNSSEC signing server that automates DNSSEC signing functions. It installs in minutes and can be operational in a matter of hours. Technical knowledge and time required to operate is only marginally greater than running authoritative DNS today. It works with all of the primary DNS servers in use today. If you want to know more, click here: Secure64DNSSigner - DNSSEC made simple and secure.

I must admit that it is hard to write about DNSSEC in the current economic environment. But new technologies are one of the keys to generating wealth and that is the only way we get the economy back on its feet. The web is a huge enabler for business and lifestyle efficiency. Making it secure provides the confidence needed to more fully utilize this wonderful communications tool.

The Kaminsky cache poisoning vulnerability is not the only reason for widespread adoption of DNSSEC. But you may be asking what the heck is DNSSEC? For that matter, what is DNS?

For a technical overview of DNS, DNSSEC, and the Kaminsky vulnerability start here:  DNSSEC - DNS Security Extensions and here: An Illustrated Guide to the Kaminsky DNS Vulnerability. I’m going to keep this light and focus on benefits.

The DNS database is the phone book and the “Operator” for the Internet. When you visit a web site or send an email, you use the DNS to find the web or email server that your browser or email client needs to reach. Internal networks are similarly dependent upon DNS, as each PC, internal database, IP telephone and network printer within an organization has an IP address; IT infrastructure depends upon DNS, it is mission critical.

But the DNS is not secure, meaning users cannot be sure that they are communicating with the correct web or email server. They cannot know this with certainty today because there is no because there is no way to trust the answers that the DNS provides.

How will DNSSEC impact Internet users? It makes Internet communications more secure by ensuring that the responses from the DNS came from the authorized source and have not been altered in transit. What does this mean?

1. You will know with certainty that you have arrived at the correct web site. Today you can’t be sure. It resolves the Kaminsky vulnerability.
2. You will be able to trust SSL and VPN. Today the cannot be trusted with certainty.
3. It provides an essential trust anchor for cloud computing.
4. DNSSEC closes a DNS security hole for DKIM, or Domain Keys Identified Mail. Today email senders can be spoofed, resulting in phishing emails and SPAM. Also, today if email is not encrypted its contents can be spied upon. Authentication of email senders will substantially reduce if not eliminate SPAM and phishing emails.
5. Voice over Internet Protocol(VoIP) and other applications critically need DNSSEC authentication. More on this in a later post.

The world needs DNSSEC. Governments, businesses and organizations should do everything in their power to make sure their customers and constituents know with confidence that they can be reached securely through the web. The cost is trivial and the benefit for internet users is huge.

Why am I writing this blog? Well one reason is advice from Mitchell Ashley that I have something to say worth reading. More specifically, I’ve started a software company (www.Secure64.com) with Bill Worley, a former Chief Scientist of Hewlett Packard, and we are engaged in an effort to make the web and all of its applications more secure, responsive and reliable.

There are many blogs and articles on internet security but for the most part they are technical and/or focused on describing the latest products. Yet 99&44/100ths% of users just want things to work. We can do a better job of managing our internet infrastructure, save everyone money in the process, and enable the next generation web applications that will improve our lives.

I’m going to cut through the clutter and the misusage of the term “security” and talk about what it means to you as a user of the web. Why you will look back a few years from now and say how much better things are than they were in 2008.

So with this first posting I’d like to focus on a recent Network World article entitled “IETF: Should we ignore the Kaminsky bug.” This is a fair point, considering that the web and its attendant software have more bugs and security flaws than there are human diseases, what’s the big deal about one more?

The obvious answer is that this is a big one, sort of like leaving the back door unlocked on your house. You may have the most secure laptop in the world and be communicating with the most secure web site in the world but if the cloud (the connections between you and your destination web site) sends you to the wrong place, or someone redirects you to spy on your activity, it doesn’t matter. You are hosed. That also applies to email, Voice over IP phone calls, VPN, SSL and other web activities, as Dan Kaminsky himself has noted.

The second reason to address the Kaminsky bug is that there is a simple, low cost solution in DNSSEC. What the article misreports is that DNSSEC is irrelevant until it is widely deployed. That is simply not the case. Getting the root signed is another roadblock but again not a requirement for DNSSEC to be effective. For more information about DNSSEC, go to the DNSSEC Home Page

The web is one of the primary drivers of wealth creation today. It’s ridiculous, and in fact it is unacceptable, to leave internet users open to exploit by malicious elements when a simple solution is at hand.

I’ll elaborate on DNSSEC, why it is now so simple to implement, and its beneficial impact in my next post.