Open-source project aims to makes secure DNS easier
- 31 July, 2009 04:27
A group of developers has released open-source software that gives administrators a hand in making the Internet's addressing system less vulnerable to hackers.
The software, called OpenDNSSEC, automates many tasks associated with implementing DNSSEC (Domain Name System Security Extensions), which is a set a set of protocols that allows DNS (Domain Name System) records to carry a digital signature, said John A. Dickinson, a DNS consultant working on the project.
DNS records allow Web sites to be translated from a name into an IP (Internet Protocol) address, which can be queried by a computer. But the DNS system has several flaws dating from its original design that are being increasingly targeted by hackers.
By tampering with a DNS server, it's possible for a user to type in the correct Web site name but be directed to a fraudulent site, a type of attack called cache poisoning. That's one of many concerns that is driving a movement for ISPs and other entities running DNS servers to use DNSSEC.
With DNSSEC, DNS records are cryptographically signed, and those signatures are verified to ensure the information is accurate. Adoption of DNSSEC, however, has been held back by both the complexity of implementation and a lack of simpler tools, Dickinson said.
To sign DNS records, DNSSEC uses public key cryptography, where signatures are created using a public and private key and implemented on a zone level. Part of the problem is management of those keys, since they must be refreshed periodically to maintain a high level of security, Dickinson said. A mistake in managing those keys could cause major problems, which is one of the challenges for administrators.
OpenDNSSEC allows administrators to create policies and then automate managing the keys and signing the records, Dickinson said. The process now involves more manual intervention, which increases the chance for errors.
OpenDNSSEC "takes care of making sure that zone stays signed properly and correctly according to the policy on a permanent basis," Dickinson said. "All of that is completely automated so that the administrator can concentrate on doing DNS and let the security work in the background."
The software also has a key storage feature that lets administrators keep keys in either a hardware or security software module, an additional layer of protection that ensure keys don't end up in the wrong hands, Dickinson said.
The OpenDNSSEC software is available for download, although it is being offered as a technology preview and shouldn't be used yet in production, Dickinson said. Developers will gather feedback on the tool and release improved versions in the near future.
As of earlier this year, most top-level domains, such as those ending in ".com," were not cryptographically signed, and neither were those in the DNS root zone, the master list of where computers can go to look up an address in a particular domain. VeriSign, which is the registry for ".com," said in February it will implement DNSSEC across top-level domains including .com by 2011.
Other organizations are also moving toward using DNSSEC. The U.S. government has committed to using DNSSEC for its ".gov" domain. Other ccTLDs (country-code Top-Level Domains) operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg), are also using DNSSEC.
Security experts argue that DNSSEC should be used sooner rather than later due to existing vulnerabilities in DNS. One of the more serious ones was revealed by security researcher Dan Kaminsky in July 2008. He showed that DNS servers could be quickly filled with inaccurate information, which could be used for a variety of attacks on e-mail systems, software updating systems and password recovery systems on Web sites.
While temporary patches have been deployed, it's not a long-term solution since it just takes longer to perform an attack, according to a white paper published earlier this year by SurfNet, a Dutch research and education organization. SurfNet is among OpenDNSSEC's backers, which also includes the ".uk" registry Nominet, NLnet Labs and SIDN, the ".nl" registry.
Unless DNSSEC is used, "the basic flaw in the Domain Name System -- that there is no way to ensure that answers to queries are genuine -- remains," the paper said.