DNS inventor decries security in-fighting

IETF is a debating society, chides Mockapetris.

Years of in-fighting over the DNSSEC standard have left Internet users unnecessarily exposed to malware.

That's according to DNS (Domain Name System Security Extension) inventor, Paul Mockapetris, who said that the 15 years in which the DNSSEC standard was debated by the IETF was far too long-winded a process and meant that security issues in the standard DNS infrastructure had not been addressed. He added that the Kaminsky flaw identified earlier this year was an example of the vulnerabilities in the infrastructure.

Dr Mockpetris, chairman of Nominum, said that when he wrote DNS back in the 80s, security was intentionally left out, with the idea that it would be added later. He said that while DNSEC had now reached its final stages, there still was no mass take-up of the standard.

"So far only Sweden and Puerto Rico have signed up to implement DNSSEC," he said.

He pointed that the one of the main problems facing organisations wanting to implement was the complexity. He said that much of the discussion on DNSSEC had taken place at techie level - "it's for what I call the people in the white coats" - and that had yet to moved to a wider world, preventing organisations from adopting it.

"You tell them that one of the things you have to do is set up a Perl script and run a CRON job - that's like talking a different language to them, " he said.

He said that not only had the Kaminsky flaw highlighted the vulnerability of DNS itself, but that there was the additional problem that too many servers are misconfigured. "We know that about half of all DNS servers have not been set up properly," he said. This was endorsed by the findings of Infoblox whose survey last week found that 10 percent of DNS servers have known vulnerabilities.

Mockpetris said that Nominum was tackling DNS security by implementing its own architecture, TRUE. He said that this would be based on the company's own DNS server Centris and an additional feature MDR (malicious domain redirection).

He said that the new architecture, which was being deployed by Colt Italy to prevent access to illegal gambling and child pornography sites, would considerably enhance the security offered by service providers. "It's not perfect," he said, "but it does offer considerably more protection and will help the providers support their own users."

He said that on the whole DNS was holding up well. "When I designed DNS, I was expecting to support about 50m servers, it now has more than one billion. Even allowing for the factor of six that engineers will allow for, that's many times more than I was expecting."

Mockapetris said that DNSEC should extend the life of the technology but was cognisant of the fact that it wouldn't last for ever. "If you want to be remembered for 200 years, write music not software," he added wryly.


Show Comments