Carolyn Duffy Marsan's Network World article "DNS remains vulnerable one year after Kaminsky bug" highlights both the tremendous progress in DNSSEC adoption and the fundamental lack of progress on the part of many in maintaining the DNS and even applying the patch to the bug that was also released a year ago.
The progress?
- Awareness of DNS and its vulnerabilities. This was invisible prior to Dan Kaminsky because the major software and security vendors have no solutions and the technical press ignored glaring security weaknesses in the structure of the internet. There is now general awareness.
- Awareness, adoption and support for DNSSEC is an order of magnitude greater. The root servers will be signed by the end of this year. The .gov domain and even more importantly the .org top-level domains are signed. This signing process is crucial for easy adoption of DNSSEC by individual government agencies and by domains under the .org domain. Adoption is underway by Federal agencies. Verisign is committed to signing .com and .net by 2011. All Federal agencies will adopt DNSSEC by the end of 2009. Windows 7 and newer versions of Linux have DNSSEC awareness.
By fully automating the many functions needed to install and operate DNSSEC, users with relatively simple skills can adopt DNSSEC quickly and easily. OK there is really only one product, from my company Secure64. But others are trying.
On the down side, there are going to be a lot of sites that will be caught off guard by DNSSEC. The DNS is very forgiving of negligent systems administration. DNSSEC requires key roll overs at least monthly. Any software performing DNSSEC should have that automated feature. I do not feel sorry for poorly maintained sites because that is where malware hides. Adopting DNSSEC will force an Internet-wide improvement in security for that reason alone.
So my hat is off to Dan. If we ever get a "Knight and Protector of the Internet Order" award (and why not?) he should be in line for the first one.
It's pretty bad but people are moving in the right direction finally. We are seeing some movement in the root getting signed (ICANN Sydney showed the target is end of year). The next place where some serious attention needs to be is in how DNSSEC is consumed by the OS and the application. What does the user see and what type of new things can you do with DNS that you cannot do already?
I will say that we have a managed DNSSEC service (http://dynect.com/technology/dnssec.html) making us the only two providers who offer a hardware and a hosted DNSSEC product/service.
Meanwhile, attacks are getting more talked about which means it is no longer a proof of concept but it is actually hurting people. No good to see that.
Posted by: Jeremy Hitchcock | 07/27/2009 at 11:14 AM