Safe domain Protecting the foundation of the internet

Sponsored by DNS security Trust net A few months passed, and once the buzz around the flaw began to wane, Kaminsky Adoption of DNSSEC is gaining steam, says – and others with a vested interest in DNS – Lauren Price, chairwoman of the DNSSEC began to think about a bigger, longer term Industry Coalition. Dan Kaplan investigates. and more permanent solution. Their attention turned to DNSSEC, a set of Internet Engi- neering Task Force extensions that provide n a quiet Sunday two years ago, re- authentication of DNS data. DNSSEC uses nowned security white hat Dan Kamin- digital, cryptographic signatures to protect Osky was sitting in his Seattle apartment, against forged DNS data and ensures that the fooling around with some software, as he server to which a user believes they are con- often does, when he stumbled on a gaping necting is the correct one. Meanwhile, website hole in one of the internet’s fundamental owners can benefit by ruling out the possibil- building blocks. ity of domain hijacking and, in the process, He discovered an inherent design flaw in the protect their brand from reputational harm. (DNS), a critical compo- “We just didn’t have an efficient way to nent of internet infrastructure that translates exchange key material across organizational IP addresses into memorable domain names. If boundaries,” Kaminsky says. “Everyone uses exploited, the vulnerability could have led to a DNS as the overarching system by which they devastating hacker technique known as cache can access each other’s servers. It works amaz- poisoning by which a cybercriminal directs ingly well. It’s been working for the past 25 users to the website of his choosing without years. But right now, all it gives us is connec- the user even realizing it. There, they can be tivity. It can’t give us trust.” stripped of banking credentials, for example, The concept of DNSSEC was nothing new or be forced to download malware. Such – in fact, development of the standard has attacks, while rare, have happened. What’s been in the works for more than a decade. But worse, no browser or operating system secu- nothing prompted massive adoption – until rity solution can prevent a redirection at the Kaminsky’s revelation, that is. Momentum DNS level. started to build. Kaminsky, whose day job is director of pen- Now DNSSEC adoption appears inevi- etration testing at IOActive, quickly realized table, and the schema may usher in a new how destructive his discovery could be, and his era of trust never before seen, says Lauren focus immediately turned to fixing the prob- Price, chairwoman of the DNSSEC Industry lem – and fast. The self-professed DNS geek Coalition, a group of security experts whose was so concerned for the internet’s health that mission is to encourage implementation of he arranged a secret meeting among a group the technology. of researchers and technology providers on the “Virtually everything on the internet de- campus in Redmond, Wash. pends on DNS, and if you step back and think The gathering resulted in the unprecedented, about that, it’s pretty extraordinary,” Price coordinated release three months later of says. “Without it, the internet does not work. a patch from dozens of vendors that make When DNS was created for the internet, the DNS servers and clients. The fix essentially principal players weren’t thinking about how extended the randomness of the source port it’s being used today. There’s really nothing in the DNS server, significantly limiting the wrong with the infrastructure. What’s wrong 1990 chance of attack. But it didn’t completely rule is the way it’s being used and abused.” Steven Bellovin out the possibility. Kaminsky called the patch Cache poisoning is much more menacing discovers a major a Band-Aid. than traditional , which is reliant on flaw in the DNS

www.scmagazineus.com | Copyright 2010 Haymarket Media Inc. 2 DNS security the victim falling for a bogus URL, she says. Aside from the root and TLDs being “It’s actually more dangerous and smarter signed, each individual second-level domain than phishing,” Price says. “You can really must be signed. For DNSSEC to work, these be on BankofAmerica.com, and someone is website owners must embrace the standard, hijacking your traffic and taking you some- much like they have SSL to encrypt transac- where else.” tion data. Now that momentum appears Yet what makes DNSSEC adoption par- to be behind DNSSEC, domain owners are ticularly cumbersome is that for end-users becoming increasingly interested. “At some and website owners to benefit, all members point, it’ll be part of good hygiene,” Crocker of the DNS chain must participate. These are says. “If your zone isn’t signed, people will the root, the top-level domains (such as .com look at you funny.” and .org), and second-level domains (such Price, who works full time for the Public as google.com), as well as internet service Interest Registry, cites several big-name web- providers, which maintain DNS servers. sites, such as PayPal, that have realized the Each zone must be authenticated and signed benefits of offering their customers a trusted through the creation of a public and private internet experience. “Right now, you are vul- “key pair.” For the most part, parties have nerable to people redirecting your traffic to dragged their feet in deploying the standard. somewhere you don’t want to go,” she says. As a result, a chicken-or-the-egg dilemma has But businesses wanting to deploy DNSSEC taken hold. are reliant on registrars to implement the “Why sign [your DNS zone] if nobody is standard. That is because registrars serve as checking for signatures and vice versa?” asks the link between the domain and the registry. Steve Crocker, CEO of internet firm Shinkuro So far, 10 registrars have passed the required and chairman of the Internet Corp. for As- certification test to offer DNSSEC registra- signed Names and Numbers (ICANN) Secu- tions, Price says. rity and Stability Advisory Committee. Richard Merdinger, senior director of Someone had to step up to the plate. The domain registration services at Go Daddy, first whiff of change in the United States which manages 40 million domains and is arrived in August 2008, when the federal Of- the nation’s largest registrar, says the com- fice of Management and Budget ordered the pany plans a two-phase rollout of its DNS- .gov top-level domain (TLD) and all federal SEC services. The first phase allows website agency websites to be signed with the DNS- operators to generate a public and private SEC protocol. But arguably the most crucial key, known as a key pair, which they will use development came last fall, when ICANN, the to sign their domains. Then, they can provide organization charged with managing the DNS, that information to Go Daddy, which will announced that DNSSEC will be deployed distribute the data to the registries. In the at the root zone by July 1. The root zone, second phase, Go Daddy will manage the comprised of 13 root servers, is the top zone implementation on behalf of its customers on the DNS hierarchy and lists the names and for a yet-to-be-determined fee, leaving them IP addresses of the authoritative DNS servers with virtually nothing to do. for all TLDs. Meanwhile, for larger organizations that The next zone down is the TLDs, one of manage their own DNS services, technology which, .org, will begin supporting DNSSEC in has evolved such that domain owners, using June, according to the Public Interest Registry, automated processes for key creation and 2008 which manages the .org domain. The .com, management, can deploy DNSSEC them- Internet researcher .net and .edu TLDs are expected to follow suit selves. An initial capital investment to up- Dan Kaminsky exploits later this year and early next. grading or replacing one’s DNS server would the flaw in the DNS

www.scmagazineus.com | Copyright 2010 Haymarket Media Inc. 3 DNS security be required. It seems the days of DNSSEC ing standard that also closes the Kaminsky being considered too complex and error- cache poisoning vulnerability. And, Ulevitch prone to ever work appear heading toward says, DNSCurve is easier to implement and the rearview mirror. manage. DNSSEC advocates, however, argue “The current barriers are no longer techni- their standard offers a more complete, end- cal,” says Nathan Meyer, product manager to-end solution. at F5 Networks, a networking appliances Now that technology has removed some company that makes a DNSSEC solution. of the burdens of DNSSEC adoption, Price So where does all of this leave the aver- foresees bigger things coming. age web surfer? After all, end-users are the “Once we secure this piece, developers are ones making the DNS requests. This is where going to start playing with this toy, and op- internet service providers come into play. portunities could come of it,” she says. “So Comcast, for one, plans to make its cach- many applications and services are built on ing resolver DNSSEC aware by the end of top of [DNS].” next year, says Chris Griffiths, manager for For example, DNSSEC could be used to high-speed internet engineering at the Phil- secure online health record distribution, she adelphia-based ISP. DNS resolvers are able says. Or eliminate spam and phishing. Apply- to check if the information is identical to the ing trust to emails has long been the thorn in information on the authoritative DNS server. the side of the IT security community. That means Comcast will validate the DNS “The first thing every hacker learns is to responses generated when a customer wants be able to forge an email from somebody,” to visit a website. Kaminsky says. But attempts at ensuring “When a signed root happens, we would that email senders are who they say they are, use that [cryptographic] key in our caching such as public key infrastructure (PKI), have servers and use that to validate everything on been impeded by cost and scalability issues. the internet,” he says. “We’re validating each DNSSEC can confirm the authenticity of a step in the process of finding that domain.” mail server. This is not to say that DNSSEC is a pana- “At the same time I’m getting the address cea. The protocol does not address every of a mail server, I can get the key of a mail DNS security problem, says David Ulevitch, server,” Kaminsky explains. “The promises founder of -based security of PKI were always appealing. The technol- firm OpenDNS. For instance, a cybercrimi- ogy we chose to implement those promises nal managing a botnet may sign his central had some scalability issues, and DNSSEC command-and-control server using DNSSEC, solves those issues in a very elegant and and it would appear as a legitimate domain. powerful way.” “DNSSEC forces you to accept answers Kaminsky, initially concerned about the when maybe you don’t want to trust some complexities of DNSSEC, is now one of its of those answers,” Ulevitch says. “To me, biggest proponents. And when this research- what’s more important is deciding which are er says something about DNS, people tend the good [sites] and which are the bad.” to listen. Even so, OpenDNS plans to customize “It warms my heart,” he says of the stan- its DNS resolvers so they support DNSSEC dard. “We’re actually going to be able to 2011 in the future. In the meantime, though, the deliver a lot of functionality to customers COM, .NET plan to company already has added support for DN- that, really, we should have been doing for implement DNSSEC SCurve, a lesser known, somewhat compet- years.” n

www.scmagazineus.com | Copyright 2010 Haymarket Media Inc. 4 Sponsor

Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SGC SuperCerts and Extended Validation SSL Certificates.

EDITORIAL U.S. SALES EDITOR-IN-CHIEF Illena Armstrong Associate Publisher, VP of Sales Gill Torren [email protected] (646) 638-6008 [email protected] deputy Editor Dan Kaplan EASTern REGIOn sales manager Mike Shemesh [email protected] (646) 638-6016 [email protected] managing Editor Greg Masters wesTern REGION sales manager Matthew Allington [email protected] (415) 346-6460 [email protected] DESIGN AND PRODUCTION National inside Sales EXEC. Brittany Thompson ART DIRECTOR Brian Jackson (646) 638-6152 [email protected] [email protected] Senior Production Krassi Varbanov [email protected] Masthead

www.scmagazineus.com | Copyright 2010 Haymarket Media Inc. 5