June 14, 2000 5:00 AM PDT
Security firm warns of outdated software
Sydney-based DeMorgan said 30 percent of the computers controlling the ".com" domain name system (DNS)--including several of the highest-level root servers--are vulnerable to "denial of service" and other
The security firm released the widely disputed study last week, finding that just 20 percent of DNS servers in Australia have installed the recommended DNS server software, which received a substantial security upgrade in November. The firm also concluded that as many as 75 percent of DNS servers worldwide have failed to install the upgrade.
Louis Touton, general counsel for the Internet Corp. for Assigned Names and Numbers (ICANN), the agency with ultimate responsibility for the security of DNS, acknowledged some trouble spots. But he said the problems mostly affect remote areas of the Internet and insisted that the core DNS root servers are safe.
"At the root level, security is very robust," Touton said.
Root servers act as control switches on the Internet, taking requests from one domain and showing it how to reach addresses in another. Without them, Net surfers would be unable to reach destination sites.
DeMorgan's charges come as DNS security problems have taken on a higher profile.
Just this month, the Net's technical standards body, the Internet Engineering Task Force (IETF), published new specifications governing DNS servers, including new security protocols. Late last year, a key Internet security agency issued an advisory identifying six security holes in DNS server software known as Berkeley Internet Name Domain (BIND).
The Internet Software Consortium (ISC), the open-source development group behind the software, has since recommended on its Web site that all DNS administrators install a BIND upgrade for "security reasons."
According to DeMorgan, the uncomfortably large percentage of DNS administrators who have failed to do so raises fresh questions about security benchmarks and oversight for the DNS.
ICANN's Touton said the DeMorgan study was flawed.
"DeMorgan wouldn't know what version of software is being used," he said. "A computer search might turn up a version number, but it would not show what patches have been installed...I think concerns over this are overblown."
Touton added that ICANN and the 13 root-server adminstrators have been working together in a Cooperative Research and Development Association (CRADA) to set basic technical improvements and establish funding streams to move the voluntary group to a stronger footing. He said basic guidelines are expected within the next six months.
Is it really that bad?
DeMorgan chief information officer Craig Wright said one of the highest-level root servers--".com" root server A, administered by Network Solutions (NSI)--could allow hostile intruders to compromise the system.
"Some of the codes are vulnerable to either a root compromise or DDoS (distributed denial of service) attacks," Wright said. "These are mission-critical servers that control the Internet. There seems to be no control to make sure people actually update their patching."
NSI spokesman Brian O'Shaughnessy said the company is aware that domain name servers in general are vulnerable to attacks through BIND. He also said that root server A is not running the most current version of BIND but noted that it has all the latest security patches.
The company will upgrade to a more recent version of BIND only after extensive testing for the software's stability, O'Shaughnessy said. NSI must focus on its domain name registration services and on testing new versions of BIND.
"Network Solutions has too much responsibility riding on the operations of the registry unit," he said. "We only put in patches once we are able to prove that the extensive tests demonstrate the software is stable."
The root server A is the top-level domain server that functions
The ISC recommends the use of version 8.2.2 patch level 5.
Nevertheless, Wright said root servers E and F are running a new version of BIND--version 8.2.3 (T5B)--described by developers as a prerelease.
Touton said that ISC--which runs the F root server--is working hard to release a new BIND version 9, and it would be a mistake to assume that there are serious security problems with the earlier beta.
While Touton agreed there are outstanding security issues, he said most problems in the DNS are far removed from the core functions.
"This is a hierarchical system, and there are leaves on the tree that are running BIND version 4 in some out-of-the-way places," he said. "A decentralized system is not always up to the highest standard across the board."