Experts accuse Bush Administration of foot-dragging on DNS security hole
Despite a recent high-profile vulnerability that showed the net could be hacked in minutes, the domain name system — a key internet infrastructure — continues to suffer from a serious security weakness, thanks to bureaucratic inertia at the U.S. government agency in charge, security experts say.
If the complicated politics of internet governance continue to get in the way of upgrading the security of the net’s core technology, the internet could turn into a carnival house of mirrors, where no URL or e-mail address could be trusted to be genuine, according to Bill Woodcock, research director at the nonprofit Packet Clearing House.
“The National Telecommunications and Information Administration, an agency of the Department of Commerce, is the show-stopper here,” Woodcock said.
At issue is the trustworthiness of the domain name system, or DNS, which serves as the internet’s phone book, translating queries such as wikipedia.org into the numeric IP address where the site’s server lives.
Just weeks ago, security researcher Dan Kaminsky announced he’d discovered a way for hackers to feed fake info into DNS listings, which would allow hackers to redirect web traffic at will — for example, routing every person attempting to log in to the Bank of America to a fake site controlled by the attacker.
Kaminsky quietly worked with large tech companies to build patches for the net’s name servers to make the attack more difficult. But security experts, and even the NTIA, say those patches are just temporary fixes; the only known complete fix is DNSSEC — a set of security extensions for name servers.
Those extensions cryptographically sign DNS records, ensuring their authenticity like a wax seal on an letter. The push for DNSSEC has been ramping up over the last few years, with four regions — including Sweden (.SE) and Puerto Rico (.PR) — already securing their own domains with DNSSEC. Four of the largest top-level domains — .org, .gov, .uk and .mil, are not far behind.
But because DNS servers work in a giant hierarchy, deploying DNSSEC successfully also requires having someone trustworthy sign the so-called “root file” with a public-private key. Otherwise, an attacker can undermine the entire system at the root level, like cutting down a tree at the trunk. That’s where the politics comes in. The DNS root is controlled by the Commerce Department’s NTIA, which thus far has refused to implement DNSSEC.
The NTIA brokers the contracts that divide the governance and top-level operations of the internet between the nonprofit ICANN and the for-profit VeriSign, which also runs the .com domain.
“They’re the only department of the government that isn’t on board with securing the Domain Name System, and unfortunately, they’re also the ones who Commerce deputized to oversee ICANN,” Woodcock said.
“The biggest difference is that once the root is signed and the public key is out, it will be put in every operating system and will be on all CDs from Apple, Microsoft, SUSE, Freebsd, etc,” says Russ Mundy, principal networking scientist at Sparta, Inc, which has been developing open-source DNSSEC tools for years with government funding, He says the top-level key is “the only one you have to have, to go down the tree.”
A European networking group known as RIPE called in June 2007 for the root to be signed, with Swedish and British representatives echoing the call in October. But NTIA is not moving quickly enough to sign the root, given the looming threat, even after the final technical problems have been resolved, according to Woodcock and others.
“A few years ago, there were still technical hurdles to actually signing and using DNSSEC, but in the past few years, a lot of software tools, both commercial and open-source, have come out, and now it’s a completely solved problem,” Woodcock said. “All that’s left is the far less tractable, purely political problem.”
“Arguing over who gets to hold the cryptographic keys in the long run [should] wait until we’re not facing a critical threat,” Woodcock said.
But the NTIA insists it is moving at just the right pace.
“We are committed to taking no action that would have the potential to adversely affect the operational stability of the DNS,” says spokesman Bart Forbes. “While there is increasing pressure to secure the DNS, NTIA must work with all stakeholders and consider all possible solutions.”
Olaf Kolkman, a Dutch networking export, says there’s no time to waste. The only way for DNSSEC to work is for the top-level zone file — which lists the specifics for top-level domains like .gov — to be signed by a trusted authority.
“Currently DNSSEC is the only mechanism known to protect against the Kaminsky attack,” Kolkman said. “It is not clear that other solutions will provide the same level of protection as DNSSEC.”
Without such extensions, a hacker eager for trade secrets could hijack the DNS listing for Apple’s e-mail server and insert the number for a server he controls instead. He could then keep a copy of every message sent to the company and forward them all. No one would likely to be any wiser until a human looked closely at the mail headers.
Still, even DNSSEC’s most fervent backers admit that signing the root won’t instantly secure the net. Installing the extensions internet-wide will be costly and time-intensive, but proponents say that getting the root signed will turbocharge the process.
The Internet Assigned Numbers Authority — which coordinates the internet — has been prototyping a system to sign the root-zone file for the last year, but they can’t do the same for the internet’s top servers without approval from the Department of Commerce.
That’s where the rub is, according to Kolkman.
“Then the issue becomes political because there seems to be the perception that the introduction of a key guardian changes the current policies,” Kolkman said
That could also simplify how top-level zone files are created, according to Richard Lamb, a technical expert at IANA. Currently companies that manage top-level domains like .com submit changes to ICANN, which then sends them to NTIA for approval, before they’re forwarded to VeriSign. VeriSign actually edits the root file and publishes it to the 13 root servers around the world.
“We would want to bring the editing, creation and signing of the root zone file here,” to IANA, Lamb said, noting that VeriSign would likely still control distribution of the file to the root servers, and there would be a public consultation process that the change was right for the net.
But changing that system could be perceived as reducing U.S. control over the net — a touchy geopolitical issue. ICANN is often considered by Washington politicians to be akin to the United Nations, and its push to control the root-zone file could push the U.S. to give more control to VeriSign, experts say.
VeriSign did not respond to a request for comment, but its CTO said earlier this year that it was creating its own root-zone file-signing test bed.
The root-zone file, which contains entries for the 300 or so top-level domains such as .gov and .com, changes almost every day, but the number of changes to the file will likely increase radically in the near future, since ICANN decided in June to allow an explosion of new top-level domain names.
Woodcock isn’t buying the assurances of NTIA that it is simply moving deliberatively.
“If the root isn’t signed, then no amount of work that responsible individuals and companies do to protect their domains will be effective,” Woodcock said. “You have to follow the chain of signatures down from the root to the top-level domain to the user’s domain. If all three pieces aren’t there, the user isn’t protected.”
Posted in Domains, Internet, Security | 1 Comment »
