DNS Security Extensions not a panacea

In 2003, the federal government released a report titled "The National Strategy to Secure Cyberspace," offering numerous recommendations to improve overall security. One suggestion was to replace insecure Domain Name System (DNS) servers with DNS Security Extensions, or DNSSEC. Simply stated, standard DNS has a relatively open method for updating information, making it vulnerable to an attack. DNSSEC, on the other hand, marries DNS with a public key infrastructure (PKI) for authentication and digital signatures addressing this particular vulnerability.

Since the original call to arms in 2003, DNSSEC implementation remained on the backburner--that is until recently. Now federal officials are poised to implement DNSSEC across the .gov domain by the end of 2009.

Of course, I'm all for additional security and I'm a firm believer in PKI as a way to guarantee trust and reduce DNS threats. That said, I am a bit worried that the federal government may be in over its collective head here. In theory, DNSSEC is a big improvement, but I'm concerned about:

1. Implementation. From what I've learned, implementing DNSSEC is difficult to configure and deploy. Given the size of the federal network, this may be the biggest implementation of DNSSEC to date. Will DNSSEC scale? I'm sure it will but it may be a painful process requiring new software development and lots of trial-and-error on the taxpayers' dime.

2. PKI. The federal government is probably as good at PKI management as anyone, but PKI is notoriously difficult and DNSSEC is a different type of implementation. Will DNSSEC be integrated into the federal PKI architecture or remain separate? Will there be a master PKI implementation for DNSSEC and another independent PKI for an additional federal initiative to secure the Border Gateway Protocol (BGP)? My fear is a complex web of unconnected expensive federal PKI architectures throughout Washington.

3. Security. Implemented incorrectly, DNSSEC can expose DNS Zone data, which is normally kept confidential. And DNSSEC is not immune to its own vulnerabilities. Recently, the Internet System Consortium released a number of security patches specifically for DNSSEC. My point here is the DNSSEC is not a security panacea; it too can be configured incorrectly or be prone to software vulnerabilities.

No doubt, DNS is vulnerable, but the best way I've seen to address this is with dedicated DNS appliances built on a hardened operating system along with extremely good processes around emergency patching. DNSSEC does introduce additional safeguards but they seem overly costly and cumbersome to me. Ultimately, I am sure that the federal government will persevere and get DNSSEC right, but is this effort really worth it? My guess is that this project will cost tens of millions if not hundreds of millions of taxpayer dollars. Great for beltway bandits, but is this really necessary? Let me know what you think.

[Knobee]

To respond to your three numbered points, I'll provide my numbered list:

1) It's complex, but no more so than correctly deploying DNS to begin with, once you understand how it works, and how to keep it going.

2) DNSSEC won't touch the existing government PKI infrastructure.

2) DNSSEC provides no more data from your DNS than is available under normal circumstances. If you have "secret" (or even "sensitive") information in your current DNS, you are doing it wrong even without DNSSEC.

Alan Clegg
Internet Systems Consortium
DNS & BIND Instructor

[CyberWoLfman]

Yeah, I'm not overly confident that many government agencies will be able to pull this off on their own, judging from their screw-ups to date when it comes to security. Heck, even the Social Security Administration's system is rather out-dated, considering the fact that their database system is junk, and can't even handle an entry for a person that only has one name. The database insists on two. If you come from another country, and have only one name, they give you a 2nd name, or chop your real name in two. LOL Added to this are all the security breeches we hear about already from the SSA and other agencies with people's information. When asked about encryption, most federal agents reply with "Huh?" So, I'm not expecting them to be able to handle this on their own. They'll likely need outside help, and . . . who's to say they'll be trust-worthy, or even competent? More taxpayer money down the toilet.

[andrewsullivan]

Your comment ,"No doubt, DNS is vulnerable, but the best way I've seen to address this is with dedicated DNS appliances built on a hardened operating system along with extremely good processes around emergency patching," seems to miss the point of what DNSSEC is about.

No amount of hardening your operating system or emergency patching will solve the problem that, without DNSSEC, DNS is fundamentally vulnerable to poisoning and man in the middle attacks. DNSSEC changes the rules: an attacker can't tamper with the data without that tampering being detected. DNSSEC is the tamper-proof seal of the DNS.

It's true that putting a security band around bottles of aspirin does nothing to protect aspirin users from someone getting into the factory and adding poison to the aspirin manufacturing. DNSSEC won't do anything to solve bugs in DNS server code. But just like the security band on your aspirin lets you know if someone has fiddled with the contents of the bottle before you open it, DNSSEC lets you know if someone has fiddled with the contents of the DNS answer. If I'm looking up mybank.com, or irs.gov, that's assurance that I would very much like to have.

[pentest]

Nothing is tamper-proof. If someone tells them otherwise, stop listening to them.

Sure, it is a great improvement, but not fool-proof.

Writing an article saying is not a panacea is like saying that water is wet.