Multiple DNS implementations vulnerable to cache poisoning
David Conrad
drc at virtualized.org
Wed Jul 9 19:30:08 UTC 2008
On Jul 9, 2008, at 10:39 AM, <michael.dillon at bt.com> <michael.dillon at bt.com
> wrote:
>>> Pressure your local ICANN officers?
>> Mmph. https://ns.iana.org/dnssec/status.html
>> (it's out of ICANN's hands)
>
> Huh!?
> ...
> It sounds like ICANN has the matter well in hand to me given
> that it is only responsible for the common central bit of the
> DNS system.
Two answers:
1) The term 'signing the root' means a whole lot more than running
dnssec-signzone over zone data. Specifically, the URL I provided
shows that IANA is _already_ signing the root (more or less) and has
been for over a year -- IANA actually has a _very_ elaborate and
secure infrastructure (including multiple FIPS 140-3 hardware security
modules, air gaps, physical security, and all sorts of other stuff)
for root signing. The fact that root zone data you receive from the
root servers is not signed may suggest that there is a bit more that
needs to be done and pretty much all of that is NOT something ICANN
has direct control over.
2) You are exactly right when you say:
> The rest of the job is everyone's problem.
Getting DNSSEC to be more than an academic exercise requires BOTH
folks signing zones that form an unbroken chain of trust up to a trust
anchor configured in validating name servers AND for the operators of
those validating name servers to enable DNSSEC. Most of the thrust to
date has been on one half of that requirement. How many ISPs
represented here are in a position to turn on DNSSEC validation? How
many are even running caches that are capable of doing DNSSEC?
For DNSSEC to actually be useful, I suspect somebody needs to write
software that provides the user with some indication other than a
timeout that a name validation failed, but that's a separate issue.
Regards,
-drc
More information about the NANOG
mailing list