auDA reveals timing for DNSSEC rollout
- 26 March, 2014 12:37
.au Domain Administration (auDA) has revealed that it is finally ready to begin the roll out of DNSSEC.
"Over the past 18 months auDA has conducted and completed substantial testing on multiple systems, utilising various hardware and software, in preparation for signing the .au zone," says a statement by the organisation, which administers the .au domain space.
"This is the first step in creating a chain of trust from the root zone through to domains at the second and third level in the .au domain space. Through this testing auDA has developed processes and practices that aim to maintain a high level of stability and allow for improved security."
DNS Security Extensions, or DNSSEC, is designed to prevent DNS-based attacks including ones based on the cache poisoning vulnerability revealed by security researcher Dan Kaminsky in 2008.
Next month auDA will sign the .au zone in its production environment, though initially the .au zone Delegation Signer (DS) Records will not be added to the Root. Testing is envisaged to take four months. auDA intends to add the .au DS records to the Root Zone in August.
"As noted above, the signed .au zone is to be considered experimental only at this stage but auDA encourages other entities, especially resolver operators, to conduct their own testing against the .au zone using their development/staging environments," the organisation's statement says.
"It is good to see some progress towards the implementation of DNSSEC in an attempt to improve the security of a core internet service; however, it is questionable as to how much security DNSSEC will provide," Threat Intelligence's Ty Miller said.
"Over the past year we have seen an increase in 'Amplification Attacks' with DNS and NTP that are used to perform DDoS attacks against organisations. These attacks arise because a request can be sent that triggers a large DNS response that can be directed to the attacker's victim.
"Since DNSSEC adds cryptographic signatures to DNS responses, DNSSEC requires organisations to support large DNS responses (EDNS0) that are likely to increase the number of DNS servers that can be used in Amplification Attacks and the severity of these attacks."
"A common security control for DNS is to disable 'zone transfers' to prevent an attacker from gathering all of your domain names in order to locate and attack your servers. DNSSEC has been found to leak domain names even if zone transfers have been disabled," Miller added
DNSSEC will not be used by a DNS server unless it is requested by a DNS client. In addition, Miller said, clients that use an insecure protocol will render moot the security benefits of DNSSEC.
"The security introduced by DNSSEC can be bypassed easily if it is used in conjunction with another insecure protocol, such as HTTP or FTP," Miller said.
"For example, you wish to visit a website that triggers a DNSSEC request followed by an HTTP request. The attacker is able to simply ignore the DNSSEC request and manipulate the HTTP request in order to inject a phishing page that may host malware."
"DNSSEC won't stop all DNS based attacks — for example the recent BGP attack that momentarily took Google's free public DNS services offline for some South American users — but it will mitigate the more common DNS cache poisoning attacks that have been used in the past by hacktivist groups," said Lani Refiti, a spokesperson for the Australian Information Security Association.
"In terms of the length of time it's taken, auDA has taken a cautious approach but I believe prudent one as the consequences of misconfiguration without thorough testing could be far worse than what it was intended to prevent."
auDA has set up a mailing list to discuss the DNSSEC process.
auDA revealed in mid-2011 that it had completed the assessment phase of the planned transition.
DNSSEC was turned on for .com in 2011.