Archive for category News
For those who participate in the monthly “DNSSEC Coordination” calls where we discuss activities around accelerating the deployment of DNSSEC, there will NOT be a call tomorrow, March 3, as there would normally be (the first Thursday of the month).
On our last call in February we noted that:
- on March 3rd, many of us will be in transit to Marrakech for ICANN 55; and
- on April 7th, many of us will be in Buenos Aires for IETF 95.
We therefore decided to:
- Cancel the monthly call on March 3.
- Cancel the monthly call on April 7.
- Hold instead a call on Thursday, March 24, at the usual time of 11:00 US Eastern which will be 15:00 UTC.
Details for the conference call will be sent out as we get closer to March 24.
Note: if you would like to participate in these monthly calls, please join the dnssec-coord mailing list. All who want to accelerate the deployment of DNSSEC and DANE are welcome to join.
Arstechnica reports that a possible DNS cache poisoning attack was used against the Romanian (.ro) versions of popular sites like Google, PayPal and Microsoft. While the exact cause is unknown, cache poisoning is suspected since it involved multiple domain names, but not the whole of the .ro domain:
For a span of one to several hours on Wednesday morning, people typing Google.ro, Yahoo.ro, and Romanian-specific addresses for other sites connected to a website that was purportedly run by an Algerian hacker, according to numerous security blog posts, including this one from Kaspersky Lab. Researchers said the most likely explanation for the redirection is a technique known as DNS poisoning, in which domain name system routing tables are tampered with, causing domain names to resolve to incorrect IP addresses.
More information from Kaspersky Lab.
The Collateral Damage of Internet Censorship by DNS Injection (594KB PDF) by Anonymous, published in ACM SIGCOMM Computer Communication Review (Volume 42, Number 3, July 2012), looks at how
Some ISPs and governments (most notably the Great Firewall of China) use DNS injection to block access to “unwanted” websites. The censorship tools inspect DNS queries near the ISP’s boundary routers for sensitive domain keywords and inject forged DNS responses, blocking the users from accessing censored sites, such as twitter and facebook. Unfortunately this causes collateral damage, affecting communication beyond the censored networks when outside DNS traffic traverses censored links.
They point out that the techniques used are similar to Kaminsky-style attacks that can be perpetrated on non-DNSSEC-enabled systems:
In the absence of DNSSEC validation, the resolver will generally accept the faked answer because it arrives earlier than the real one, and, as a result, the access to the sensitive site will be blocked or redirected.
While DNSSEC is not able to guarantee transport of valid queries and responses, the paper goes on to say how it prevents the collateral damage associated with such machinations.
Certain administrative and operational changes — changing registrars, changing DNS servers and, if outsourced, DNS operators — have always had the potential to cause temporary name resolution failures. With some planning, usually involving lowering TTLs on some or all records in a zone in advance of the change, it has been possible to minimize if not obviate such failures.
DNSSEC adds complexity in that signatures also have lifetimes and some administrative and operational changes require re-keying. If not done correctly, such changes can cause signed zones to fail to validate — to go dark — for longer than desired or expected.
Internally, within the DNSSEC Deployment Coordination Initiative, we’ve described the goal as being a ripple-free transfer, and have made presentations on the topic (e.g., SATIN 2011 180KB PDF). Done properly, there is continuous, secure resolution throughout the process — no need to have a zone go unsigned/insecure or fail to validate at any point.
The H Open reports about a new, open-source (BSD license), DNSSEC-enabled DNS server:
An open source DNS name server that supports DNSSEC and is designed to be authoritative has been released by EURid, the European Registry of Internet Domain Names. YADIFA is intended to be a lightweight alternative to more established projects; the developers say it was “built from scratch to face today’s DNS challenges, with no compromise on security, speed and stability”.
We’ve recently reported on their becoming DNSSEC operational and their surpassing .COM in the number of signed zones. A couple of months back we lauded their excellent DNSSEC tutorial. We’ve also mentioned several of the tools
they’ve NLNet Labs produced (NSD, Unbound, Dnssec-Trigger) when talking about labs and in our articles on adding DNSSEC validation to a $70 router and its performance.
[Correction 3 July 2012: Why the strikeout above? Olaf M. Kolkman of NLNet Labs points out that while SIDN and NLNet Labs have had a collaborative agreement since the beginning of this year, NSD, Unbound, and Dnssec-Trigger are products of NLNet Labs. We’re just happy that both SIDN and NLNet Labs are helping advance DNSSEC and don’t for one second want to confuse the two just because they’re both in The Netherlands! To further make things clear, neither SIDN nor NLNet Labs produce Koetjesreep, so don’t ask for a few bars. Thanks for the correction, Olaf!]
Now it’s time to let people know about one of their more technical articles,
Authenticated Denial of Existence in the DNS (277KB PDF). We ran across it while trying to debug some validation software.
The article tells the story behind why negative responses must be signed and how they can state with security and certainty that a name/resource record type combination does not exist. The article augments RFCs 4033, 4034, 4035, and 5155.
It provides the kinds of additional information in narrative and graphic format that helps with understanding. If you want to now how authenticated denial of existence works, check out the article.
Webwereld’s story about DNSSEC adoption in .NL describes how, with under five million domains, .NL has almost 12,000 using DNSSEC — more than the number of DNSSEC-enabled domains in .COM.
The first root server (L) has started to serve up a signed version of the root zone. This is the first step in the live testing that will lead to a production signed root by the middle of the year. For information on the status of the root signing process visit: http://www.root-dnssec.org/
The root is intentionally publishing bogus signing keys, so the answers are not verifiable. Once the testing completes the actual keys will be published.
Current DNSKEY set advertised:
. 86400 IN DNSKEY 256 3 8 AwEAAa1Lh++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++
. 86400 IN DNSKEY 257 3 8 AwEAAawBe++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++
. 86400 IN RRSIG DNSKEY 8 0 86400 20100204235959 20100121000000 19324 . NO9bHgWYB3wQlVZXQKwDGUjTgIyfz1i8aWH8nBlT5isnYbr6PTfR4fWlSx8+avFfR0fVekauaQelKOyiUav4H9Y1AZ2OBguu7RjozQu1qErKboWd1NglIIOGar0Ol4Ur9+
Adding to our compilation of observers who’ve put DNSSEC on their lists of 2010 trends to watch, Government Computer News has put DNSSEC on its list of 10 Technologies to Watch in 2010. Noting that the DNS security extensions “add an important level of assurance,” the article noted:
Leading by example, the U.S. government has helped to spur adoption. Following disclosure last year of a serious vulnerability in the DNS protocols, the Office of Management and Budget mandated that the dot-gov top-level domain be signed in 2009 and that agencies sign their secondary domains by the end of that year.
eWeek Europe’s look at the December attack that took down Twitter suggests that businesses need a stronger focus on DNS security, and includes this reminder about DNSSEC from Rick Howard, director of security intelligence at VeriSign iDefense:
“Basic DNS monitoring is sorely lacking,” he continued. “While enterprises may monitor DNS availability, and are increasingly aware of DDoS [distributed denial of service] attacks targeting domain name servers, simple monitoring for DNS integrity is often overlooked. Enterprises should also pay attention to the rollout of DNSSEC, which mitigates some attacks, but is not yet widely available.”
The attack used “legitimate credentials to log in and redirect Twitter.com to a site purporting to be under the control of the Iranian Cyber Army,” the article notes.