×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kaminsky Bug Options Include "Do Nothing," Says IETF

timothy posted more than 5 years ago | from the doing-stuff-is-overrated dept.

Security 134

netbuzz writes "Meeting in Minneapolis this week, the Internet engineering community is debating whether to aggressively fashion and apply fixes for the so-called Kaminsky bug in the DNS discovered this summer, or to simply let its threat stand as motivation for all to move with greater speed toward DNSSEC, which is considered the best long-term security solution. Problem with the latter approach is that DNSSEC has been in the works for a decade already, no one is confident it will be universally embraced, and the Kaminsky flaw is causing real problems today.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

134 comments

DNS (5, Funny)

Anonymous Coward | more than 5 years ago | (#25838233)

TMBG37 GOES TO THE MARKET
        -or-
DNS for fucking idiots.
(NONE LIKE IT HOT!)
 
1. TMBG37 tries to go to www.dildomall.com with his browsar.
        a. His local machine checks if he's been there recently
          and if it remembers the IP address.
        b. Let's assume (big assumption people), that TMBG37
          hasn't been buying any rubbery cocks of late (ha!),
          his computar connects to its local nameserver.
                --> HELO MISTAR NAMESERVAR
                <-- Oh fuck it's you :(
                --> WHERE DO I BUY DILDOES?
                <-- Shit kid I don't even want involved with that.
                --> GIVE ME ADDRESS FOR www.dildomall.com!!!!!
                <-- Fuck you. But fine, its nameserver is
                    ns1.bunghole.org, which is 69.69.69.69.
                --> THANK YOU SIR
        c. His computer goes on to pester ns1.bunghole.org, via
          its IP address, which it got from the local nameserver.
                --> OMG R U ns1.bunghole.org?
                <-- Oh christ, I've heard about you :(
                --> OMG PLZ WHAT IS www.dildomall.com !!!!?
                <-- Leave me alone.
                --> PLXX?????
                <-- It's 37.37.37.37
                --> OMG HHLUAHGLAUHGALUHGUH *SUCKING DICK*
2. TMBG37 goes on to happily penetrate his anus with a dildo
  bought from www.dildomall.com, with the IP address 37.37.37.37.
  There are HTTP/1.1 issues involved here if it is using virtual
  hosting, but that's NEITHER HERE NOR THERE.

Re:DNS (2, Informative)

lukas84 (912874) | more than 5 years ago | (#25838673)

It looks like you mixed up the resolver and the client.

Re:DNS (1)

kayditty (641006) | more than 5 years ago | (#25840049)

and he doesn't seem to understand recursion, either.

Re:DNS (5, Funny)

pleappleappleap (1182301) | more than 5 years ago | (#25840791)

To know recursion, you must first know recursion.

Re:DNS (2, Funny)

superdave80 (1226592) | more than 5 years ago | (#25840929)

Consider my mind officially blown.

Re:DNS (0)

Anonymous Coward | more than 5 years ago | (#25841361)

If you think Fibbonacci is bad, try the Ackermann function! :) Or, more realistically, or traverse Graphs and Trees or utilize Netwon's method and Simpson's rule!

DNS to slashdot has been hacked .... (2, Funny)

cullenfluffyjennings (138377) | more than 5 years ago | (#25838265)

and I am reading the wrong site. The aliens can return the real slashdot now. Surely IETF would never choose to "Do Nothing" :-)

Re:DNS to slashdot has been hacked .... (1)

jd (1658) | more than 5 years ago | (#25842851)

They haven't "done nothing" - they specified an Evil Bit that attackers are required (by spec) to set. If attackers are failing to set the Evil Bit, it isn't the IETF's fault. That's an implementation issue.

sounds familiar (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25838353)

this is somewhere along the lines of not having a secure os and recommending everyone to use an antivirus, a firewall, antimalware and antiphishing.

as far as i understand IETF = Internet Explorer does anyone know what TF stands for?

Re:sounds familiar (1)

tpwch (748980) | more than 5 years ago | (#25838443)

this is somewhere along the lines of not having a secure os and recommending everyone to use an antivirus, a firewall, antimalware and antiphishing.

as far as i understand IETF = Internet Explorer does anyone know what TF stands for?

It stands for Internet Engineering Task Force, it has nothing to do with Internet Explorer.

You can read about them on wikipedia. [wikipedia.org]

Re:sounds familiar (2, Funny)

jacquesm (154384) | more than 5 years ago | (#25839065)

*whoosh*...

You really should have your humor circuits checked you know ?

YHBT

Re:sounds familiar (0)

Anonymous Coward | more than 5 years ago | (#25839291)

Kettle, thou art black! Because if that was a joke, it was a complete failure.

Re:sounds familiar (1)

jacquesm (154384) | more than 5 years ago | (#25839365)

oh come on. Internet Explorer Task Force, and then a whole bunch of guys falling over each other to spell out what IETF stands for (As if there is anybody here that doesn't know that. What ? oh, ok... well, never mind then ;) )

Re:sounds familiar (1)

CecilPL (1258010) | more than 5 years ago | (#25839555)

You mean the International Essential Tremor Foundation? Did I miss something?

Re:sounds familiar (1)

hairyfeet (841228) | more than 5 years ago | (#25840439)

I thought it was Internet Explorer Trojan Foundation. And you have to admit that foundation HAS been working overtime, considering how quickly you get a Trojan if you use Internet Explorer. Now THAT is what I call service!

Re:sounds familiar (0)

Anonymous Coward | more than 5 years ago | (#25840867)

You mean the Internal Explorer Trojan for Fucking?

Re:sounds familiar (3, Funny)

mellon (7048) | more than 5 years ago | (#25841895)

Trust me, there's very little need for Trojans at a typical IETF meeting.

Re:sounds familiar (0)

Anonymous Coward | more than 5 years ago | (#25838839)

(I'm a different AC.)

Heavens, you read and post on Slashdot and know neither what the IETF is nor how to google for the term?

Turn in your geek certificate immediately!

So what powers does the IETF have on this? (2, Interesting)

Vellmont (569020) | more than 5 years ago | (#25838385)

I'm trying to figure out exactly what they're deciding. Yes, I understand it's a discussion about "upgrade to DNSSEC" vs. "implement the hacks". But these guys don't control the internet, and my understanding is they only make "recommendations", which nobody is obliged to follow.

So exactly what exactly are these guys debating about "doing"? Is it really just "recommend DNSSEC" or "recommend the hack"?

Re:So what powers does the IETF have on this? (4, Interesting)

JCSoRocks (1142053) | more than 5 years ago | (#25838481)

On top of that, recommending DNSSEC is starting to sound like recommending that everyone start playing Duke Nukem Forever.

No one likes patching sinking ships but it's better than nothing. Doing nothing and waiting for DNSSEC are nearly the same thing.

Re:So what powers does the IETF have on this? (1)

timeOday (582209) | more than 5 years ago | (#25838759)

Unlike Duke Nukem Forever, DNSSEC actually exists [wikipedia.org] , and from what I gather, the main problem is getting people to adopt it. If so, inventing some other more secure upgrade to DNS really is a waste of time (unless it's somehow easier to adopt than DNSSEC). It would amount to wishing away the problem of mass adoption.

Re:So what powers does the IETF have on this? (2, Informative)

TheRaven64 (641858) | more than 5 years ago | (#25838933)

The big problem is that most of the TLDs don't support DNSSEC (not sure if the root servers do, but I think they started a little while ago). This means that, even if you want to use DNSSEC, you can't, because the chain from the root to you is insecure and there is no chain of trust to you, so you gain nothing.

Re:So what powers does the IETF have on this? (2, Insightful)

timeOday (582209) | more than 5 years ago | (#25839273)

The big problem is that most of the TLDs don't support DNSSEC (not sure if the root servers do, but I think they started a little while ago).

Well, they don't support some other as-yet-nonexistent alternate security fix for the Kaminsky Bug, either.

Re:So what powers does the IETF have on this? (3, Informative)

Zero__Kelvin (151819) | more than 5 years ago | (#25840203)

From the Wiki article you link to:

It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of:

  1. Devising a backward-compatible standard that can scale to the size of the Internet
  2. Preventing "zone enumeration" (see below) where desired
  3. Deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients)
  4. Disagreement among key players over who should own the .com (etc) root keys
  5. Overcoming the perceived complexity of DNSSEC and DNSSEC deployment

Some of these problems are in the process of being resolved, and deployments in various domains have begun to take place.

I guess we have different definitions of "exists", unless you mean it exists as a list of as yet unsolved problems.

Re:So what powers does the IETF have on this? (2, Informative)

superdave80 (1226592) | more than 5 years ago | (#25840963)

Ummm, it does exist. It just hasn't been deployed, due to the issues listed.

Car analogy alert:
I have my car (DNSSEC) sitting in the garage. It exists.

I want to drive (deploy) it, but my wife, teenage kids and I are all arguing over who gets to drive, where we are driving to, and what route we are going to take.

Hell, your own post states it:

...and deployments in various domains have begun to take place.

Re:So what powers does the IETF have on this? (1)

Zero__Kelvin (151819) | more than 5 years ago | (#25841093)

With all due respect your analogy is quite horrible. Allow me to remap it to reality

"I have my car (DNSSEC) sitting in the garage. It exists."

We have a national highway designed to permit or deny traffic based on road signs, traffic laws, and traffic law protocol and the police as a kind of ICMP.

"I want to drive (deploy) it, but my wife, teenage kids and I are all arguing over who gets to drive, where we are driving to, and what route we are going to take."

The entire country, nay the entire world, would like to switch over to a system where RFID devices and sensors are used to perform the function. How will we make the transition without blocking major interstates and similar routes from the first day of transition through to its completion?

Re:So what powers does the IETF have on this? (3, Informative)

lysergic.acid (845423) | more than 5 years ago | (#25841285)

you need to work on your reading comprehension skills.

DNSSEC exists plain and simple. it's already been deployed for a lot of domains and root nameservers. just because there are difficulties hampering its widespread adoption doesn't mean it doesn't exist. that's like saying IPv6 doesn't exist because it's still suffering from a lack of widespread adoption.

none of the factors preventing more widespread deployment are problems that need "solving." in fact, they're more social/political problems than they are technical problems. so the "solution" to these problems is simply to persuade/pressure/coerce DNS servers to adopt DNSSEC, which is what IETF is debating about.

  1. backward-compatibility may be difficult to maintain, but this is a transitional problem, and it's not a real technical barrier to adoption at this point. BIND 9.3 (several older versions are compatible as well) officially supports DNSSEC, so does NSD [wikipedia.org] , and Nominum's ANS [wikipedia.org] and CNS [wikipedia.org] . the fact of the matter is, there are tons of domains already using DNSSEC [xelerance.com] without issue.
  2. the zone enumeration issue has already been solved with NSEC3 (RFC 5155 [ietf.org] ) released in March--which you'd already know if you'd read the rest of that Wiki article.
  3. this is a logistical problem that every new technology/protocol/standard faces. the main issue here is the last-mover advantage. nobody wants to be the first to adopt a new standard when there's no financial incentive to do so. but somebody has to go first. and at this point there is already a wide variety of software, prototype systems [net-dns.org] & tools [dnssec-tools.org] available for implementing DNSSEC with little to no risk involved.
  4. this is purely a political issue, and it has more to do with the U.S.'s monopolistic control over the DNS system than DNSSEC. perhaps if ICANN acted more impartially instead of getting in bed with Verisign and other commercial corporations we wouldn't have political BS hindering technological progress. in any case, this is an ICANN problem and could be solved by organizational reforms to make ICANN operate with more transparency and give other nations a voice in domain name management.
  5. the perception of DNSSEC being too complex or difficult to adopt is just that--a problem with public perception. IETF is working on resolving this problem through education and training, which are on their deployment road map. there's a lot of good free resources out there to help ease others through this transitions and dispel false perceptions [dnssec.net] .

Re:So what powers does the IETF have on this? (0)

Anonymous Coward | more than 5 years ago | (#25842839)

Don't forget the part where you need to sign all of your DNS zones every 15-30 days, bloat your DNS zone files considerably, restructure your zone directory/file layout, set up a second cron job on another server to check that your first zone signing cron job is working, the possibility of having your domain go offline for all DNSSEC enabled resolvers if your automatic key signing silently fails, and the fact that you have to trust ISC's "domain lookaside validation" as an alternate trust heirarchy since the root level zones aren't signing any keys.

ISC is trying to ram this down people's throats. Come up with something good and people will gladly migrate to it without all the scare tactics. Just install a djbdns caching server and you'll be fine. Seriously.

Re:So what powers does the IETF have on this? (2, Interesting)

mrsbrisby (60242) | more than 5 years ago | (#25840977)

If so, inventing some other more secure upgrade to DNS really is a waste of time (unless it's somehow easier to adopt than DNSSEC).

Like for example, dnscurve [dnscurve.org] , which requires very little effort to set up, is actually backwards compatible with DNS, protects against some denial of service attacks (instead of creating them), and oh yeah doesn't require the cooperation of the parent zone.

DNSSEC is a joke. A bad bad joke. Replacing DNS with something not-DNS isn't any better an idea than replacing the Internet with something not-Internet. It's 2008 and there are still sites without MX records. You simply cannot "replace" all of the Internets all at once. It just doesn't work. Someone needs to take away the ISC's talking privileges until they stop fucking things up.

Re:So what powers does the IETF have on this? (2, Insightful)

Znork (31774) | more than 5 years ago | (#25839145)

sound like recommending that everyone start playing Duke Nukem Forever.

Yes, with the limitation that only one can have the keyboard at a time.

Considering that both Europe and China are launching their own satellite navigation networks, largely as a distrust issue, the idea that a single signed DNS root will be politically digestible over anything but a very short term shows a certain... detachment... from the actual politics of the world.

I suspect that even if DNSSEC gets deployed to any large extent it'll get fractured again due to missteps by the controlling organizations (You gonna sign that Tibet key or not?).

In the end there are other solutions that might be more palatable. You could specify multiple servers against which to cross-check DNS lookups, you could store keys after first access, (and to solve Kaminsky it's even easier as you could just extend the random id code) etc, etc. The hierarchial trust structure appeals to some, particularly as it fits DNS very well, but it has some problems that may perhaps never be resolved and that can render it incompatible with reality.

Re:So what powers does the IETF have on this? (1)

Creepy Crawler (680178) | more than 5 years ago | (#25839721)

Who said YOU have to trust anybody?

Instead, we rid ourselves of all domain names that do not state country code (.com, .net, .gov, ...). Then, each country sets up a national Pubkey Archive and authenticates via their country key. Each country sets their own up, so they are in charge, not some arbitrary country "somewhere else".

That idea also easily allows enterprising "hackers" and other types to have their own auth server and provide their own domain setup. All you need do is to aim your domain resolver at the domain master and you can resolve them now. It's just like how ToR provides lookup of .onion

Re:So what powers does the IETF have on this? (2, Insightful)

Incongruity (70416) | more than 5 years ago | (#25840773)

This sounds like a good idea on the surface -- it'll never happen, of course, because too many companies and individuals have too much invested in the .com, .net, etc. without the country codes... but still, I like the consistency it all brings.

Re:So what powers does the IETF have on this? (2, Interesting)

mellon (7048) | more than 5 years ago | (#25841793)

With DNSSEC, if the person running the root were to sign incorrect data and publish it, this would be easily detected by the consumers of that data. So it would only serve to create an embarrassing international incident - you couldn't use it to actually fool anybody.

Re:So what powers does the IETF have on this? (0)

Anonymous Coward | more than 5 years ago | (#25842753)

DNSSEC sucks beyond belief. I vote we do nothing until something different, better, and actually well thought out comes along.

Re:So what powers does the IETF have on this? (1)

e9th (652576) | more than 5 years ago | (#25838691)

It sounds like they'd really like to see the root servers implement DNSSEC, which might result in a trickle-down effect to others DNSes.

But if we can't even stop people from having their authoritative servers also act as recursive caches, I don't hold out much hope.

Re:So what powers does the IETF have on this? (1)

cjfs (1253208) | more than 5 years ago | (#25838911)

IETF participants pointed out that DNS software packages from BIND, Nominum, Microsoft and NLnet Labs have added patches for the Kaminsky bug, and 75% of DNS servers have been upgraded to thwart Kaminsky-style attacks. The IETF also is putting the finishing touches on a best-practices document that outlines ways for DNS server operators to protect against spoofing attacks like those that exploit the Kaminsky bug.

So you're correct. Patches are out and the IETF is just debating their stance.

Re:So what powers does the IETF have on this? (2, Informative)

Tjebbe (36955) | more than 5 years ago | (#25839467)

Those patches are no fix, they only make the attack a little bit harder, and were easy to do without changing the current protocol or authoritative server software.

Most of the proposed interim solutions do require a change in the protocol and/or authoritative server software, and those will need to be supported until the end of time (or when DNS goes away, which is probably not before a decade after that), and make debugging of misconfigurations that much harder, especially when several of these additions would be combined.

That is why some people are hesitant to standardize these solutions (or implement DNSSEC, for that matter).

Re:So what powers does the IETF have on this? (1)

mrsbrisby (60242) | more than 5 years ago | (#25841041)

Hesitant? Hesitant!?

Look, this isn't a bunch of ninnies holding back progress. DNSSEC is a replacement for DNS. It always has been, and for some god awful reason it's taken its architects over a decade to get nowhere. Deploying DNSSEC gains you nothing and costs you a lot: You have install costs, heavier hardware, changes to your internal infrastructure- those are the obvious ones-then you've also got the fact that the DNSSEC tokens will get your DNS packets stripped by some firewalls which means you disappear from the Internet- and this is my favorite, DNSSEC actually reduces security by making it easier to launch denial of service attacks on you.

Meanwhile, competing systems [dnscurve.org] are rebuffed as "we've already invested all this time into DNSSEC".

Re:So what powers does the IETF have on this? (1)

mellon (7048) | more than 5 years ago | (#25841807)

Argument by vigorous assertion? If people are interested in delving deeper, reading the namedroppers and dnsop mailing lists for the month around the release of the Kaminsky bug would be instructive.

Re:So what powers does the IETF have on this? (2, Interesting)

mellon (7048) | more than 5 years ago | (#25841741)

When you read this article, I think it's virtually impossible to come away with a correct impression - this is a really bad case of the game of telephone.

The situation is that the major DNS vendors have all produced patches to their DNS server software that increases the entropy of the queries these servers send, so that now instead of spoofing being something that can be done with the relatively trivial hack Dan came up with, you now have to pretty much bludgeon the network to death for about 24 hours to get a successful attack.

So it's still possible to get a successful attack, but it's much, much harder. And if you do such an attack, it's really easy to detect.

So what the IETF is now discussing is how to exclude even the 24-hour bludgeoning attack. This is very different than what we were discussing in secret before the Kaminsky attack was revealed to the public. So "do nothing" really isn't as bad an idea as it sounds from reading the article.

Also, the quotation at the bottom of the article from Paul Hoffman is pure nonsense. The fact is that the main barrier to DNSSEC deployment right now is that the government hasn't yet signed the root. They are about to sign the root. The next barrier to DNSSEC deployment is that .COM isn't signed (.ORG is very close to being signed, and a lot of other TLDs are already signed as well). The reason .COM hasn't been signed is largely because they have an excuse. Since the root isn't signed, signing .COM isn't all that useful. Once the root is signed, the excuse for not signing .COM goes away.

Now, once .COM is signed, how much work is it to sign your zone? It takes about an hour to set up. I know because I've already signed all my zones. So this means that any organization that has a fiduciary responsibility to make sure you don't get spoofed (e.g., your bank) can *easily* sign their zone, once .COM is signed.

It is *not* necessary for every zone on the internet to be signed. It is merely necessary that those zones that really matter, and are most likely to be attacked, like bankofamerica.com, get signed.

Next, ISPs have to protect their DNS caches, or else you, if you really care about security, have to install a validating resolver. Installing a validating caching nameserver is not trivial, but it's not that hard. Importantly, it is no harder than installing a hacked caching name server - one that includes one of the several hacks proposed in the DNSEXT working group the other day.

So this is why serious people, including me, are arguing that doing nothing is actually the right thing. That's really an incendiary way of putting it: the fact is that the geeks have come up with a protocol that does the job. We have implemented servers that do that protocol. We have implemented clients that do that protocol. You can get them for free, or you can pay for nicer versions (my company makes one). What is missing is that the people who write the checks haven't written the checks yet.

So when the people who write the checks come to us and say "can't you make it secure," a lot of us answer "we did, why don't you use what we did." It's a little bit PHBish to come back at this point and demand that we do Yet Another DNS security system, particularly one that's a bad hack, when a system already exists and is deployable and not a hack, that will work much better than any of the proposed hacks.

So that's why some of us argued for doing nothing. We are simply telling the PHBs of the world "no, we already did what you need, go deploy that and stop bothering us," not "security isn't important."

How many legs does the Kaminsky bug have? (1, Funny)

pandrijeczko (588093) | more than 5 years ago | (#25838505)

If it's eight, then it's probably that perishing missing space station spider!

In which case, you go get the vacuum cleaner and I'll stand here shaking in the corner emitting arachnophobic screams...

Re:How many legs does the Kaminsky bug have? (5, Funny)

cstdenis (1118589) | more than 5 years ago | (#25838579)

It's a space station. You don't need a vacuum cleaner. Just open a window.

Re:How many legs does the Kaminsky bug have? (1)

pandrijeczko (588093) | more than 5 years ago | (#25838665)

I concede defeat, sir.

I cannot think of a witty retort to one of the best "smartarse" replies I have ever had.

Re:How many legs does the Kaminsky bug have? (1)

jacquesm (154384) | more than 5 years ago | (#25839101)

It hurts. And you owe me a new keyboard. Know that your life was not in vain, even if you never surpass this.

Re:How many legs does the Kaminsky bug have? (2, Funny)

scrib (1277042) | more than 5 years ago | (#25838705)

If it's eight, then it's probably that missing space station spider!
I'll stand here shaking in the corner emitting arachnophobic screams...

I'm sorry, I can't hear you scream...

Re:How many legs does the Kaminsky bug have? (1)

pandrijeczko (588093) | more than 5 years ago | (#25838861)

That was funny but cstdennis deserves drowning in positive "+1 Smartarse" moderations...

Old news? (3, Informative)

Bearhouse (1034238) | more than 5 years ago | (#25838719)

As often, Ars Technica has had this for a while.

http://arstechnica.com/news.ars/post/20080726-new-dns-exploit-now-in-the-wild-and-having-a-blast.html [arstechnica.com]

I quote:

"This would be less of an issue if the widely released patch from two weeks ago had been fully deployed"

And:

Moving to the more DNSSEC system would have solved this problem, and that idea was apparently floated, but it was dismissed on account of the tremendous overhead required by this protocol. The patch that currently exists is not a foolproof solution, but it minimizes the chances that the attack will succeed. "The exploit is now tens of thousands of times harder, but still possible," Kaminsky stated during his Black Hat webcast. "one in several hundred million to one in a couple billion."

Yawn.

Re:Old news? (1)

Red Flayer (890720) | more than 5 years ago | (#25840329)

"The exploit is now tens of thousands of times harder, but still possible," Kaminsky stated during his Black Hat webcast. "one in several hundred million to one in a couple billion."

You know, for all of Kaminsky's brilliance, he's got math problems.

Going from "one in several hundred million to one in a couple billion" is not "tens of thousands of times harder". I guess it would make his quote a little less exciting.

"The exploit is now tens of times harder" just doesn't have any flair to it.

Re:Old news? (2, Informative)

pleappleappleap (1182301) | more than 5 years ago | (#25840823)

That's not what he meant. He meant that the chance is *now* between one in several hundred million and one in a couple billion.

Re:Old news? (0)

Anonymous Coward | more than 5 years ago | (#25842279)

In your haste to be the cool we've all been waiting for, you forgot the point of the post and got caught up in the back story.

I quote:

"Meeting in Minneapolis this week.."

So it's current news. And no shit, everyone is well aware the issued with a solution.

Perhaps you need a nap, you sound tired.

Maybe it's for the best... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25838875)

From what I've read, the possible fixes for DNS don't address the cause but just the symptoms and could (according to some: will) cause new, more complicated problems later on. And approaches that might really robustly work could be such that deploying DNSSEC will be simpler. And there's also the angle that we already have a well engineered solution to the problem, let's deploy that instead of engineering a new ugly solution. In the end, if it really becomes a problem it will get fixed either way, so we might as well do it right.

Stupid, stupid, stupid! (4, Insightful)

Opportunist (166417) | more than 5 years ago | (#25838885)

Now, when, and I mean EVER, has a security hole meant that people switch to a new platform? Or when has a severe security hole EVER caused people to even consider moving?

Windows has its leaks. But people keep using it. Why? Because they don't care, don't know or because "hey, what are the odds that it happens to me?". SMTP and POP have flaws, spam is running rampart because of it, and we switch to securer ways of mailing that can verify the sender... not! IPv4 has security problems and we're not even seriously considering switching to something more secure.

People will NOT switch to something else just because of a security problem. Because the people who could enforce it simply don't care. ISPs? ISPs don't even care about trojans running rampart in their network. Most don't even bother trying to block Sasser from spreading. The governments? Spare me that, currently I'd rather expect them to use the flaw themselves for better surveillance of their subjects.

Fix that damn bug! Nobody will move to a better platform just because of a "mere" security problem.

That's plain wrong (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25840111)

There ARE people who switch because of security issues.

So shut up with your hopeless inertia thinking.

People can and do change, they will not forever accept second class solutions.

Re:Stupid, stupid, stupid! (0)

Anonymous Coward | more than 5 years ago | (#25840319)

This is a little different in the case of Windows. Average Joe doesn't know or care about security holes in Windows. However, the people running and financing the servers being affected by this bug, are not average Joes. Trust me, these people care.

Re:Stupid, stupid, stupid! (1)

Opportunist (166417) | more than 5 years ago | (#25840857)

Sure they do. At least a sizable portion of them does. But they don't get the money from the economy guys to do it. Because they do not understand it. All they understand is that the customer accepts a shoddy solution and doesn't care if you offer a better one, and the better one costs money (time, certs,...) to implement.

Re:Stupid, stupid, stupid! (1)

spinkham (56603) | more than 5 years ago | (#25840457)

DNSSEC *IS* fixing the bug.
It's a protocol problem, and needs a protocol level fix.
DNSSEC is an extension of the DNS protocol, and if any party in the transaction doesn't support it or ask for it, DNS still acts just like DNS. If the resolver asks for DNSSEC information, and the DNS server supports it, then you get the normal DNS information + the DNSSEC information.

This is NOT switching to a new platform, it's adding a signature to the existing platform for verification. It can work precicely because it is backwards compatible, and doesn't require everyone switch at once.

It DOES pretty much require a signed root, which is the primary hold up. However, at the moment there are countries where the top level domains are signed, and have a fairly good deployment of DNSSEC.

Re:Stupid, stupid, stupid! (3, Informative)

Opportunist (166417) | more than 5 years ago | (#25840735)

No, DNSSEC would fix the bug. IF, and only IF, everyone used it. Actually the fact that DNSSEC accepts insecure DNS requests makes this approach flawed.

It's not a technical problem. It's an economic one.

Switching to DNSSEC means additional costs for ISPs. Additional time for server admins, additional hassle to get the verifications, signatures and certs. In one word, expense. Expense without revenue.

Now, old school, insecure DNS works. The customer doesn't see a difference (most of all, he doesn't understand why DNSSEC would be a good idea, if he heard about it at all). Security has never been a selling point for ISPs. Price is. The customer won't request secure DNS and for almost every potential customer of an ISP the question whether a provider uses secure or insecure DNS is not going to influence his decision which one to take. If he has a choice at all, that is.

I do agree that switching to DNSSEC would be a damn good idea. But you, me, some others on /. and a handful more understand the implications. That's not even a percent of a potential customer base for an ISP. So it doesn't matter.

As long as there is no meaningful pressure on ISPs to adopt DNSSEC, they won't do it. And by meaningful, I mean someone or something requiring you to come from a provider address using DNSSEC to do business with you (banks come to mind). But since they again don't want to lose customers (due to requiring it while some other bank/business doesn't), they won't press for it either.

If you want to force people to use DNSSEC, you have an ally in me. But you will not convince a sizable portion of the users, or even ISPs, just by keeping the alternative insecure. They won't care.

Re:Stupid, stupid, stupid! (1)

spinkham (56603) | more than 5 years ago | (#25840831)

Comcast is currently running publicly available DNSSEC enabled testbed: http://www.dnssec.comcast.net/

All the service providers are fed up with having to rush to patch all their DNS servers for a major break about once a year, and the time is right to convince them to switch after the largely publicized Kaminsky bug.

There are 2 major hold ups on DNSSEC adoption:
The root is not signed, and Microsoft doesn't support it.

Pretty much every other DNS server besides MS supports DNSSEC, and most now support the privacy preserving NSEC3 variant also.

Personally, I don't care if ISPs support it right away as I run my own recursive nameserver and avoid my ISPs like the plague, but I know that puts me in .00001% of the Internet.

Re:Stupid, stupid, stupid! (2, Insightful)

mrsbrisby (60242) | more than 5 years ago | (#25841085)

Actually, there are a lot more than two major holdups:

  1. DNSSEC is slow. It makes your nameservers vulnerable to denial-of-service attacks
  2. DNSSEC is incompatible with many firewalls; publishing DNSSEC will make you invisible to some sites
  3. DNSSEC is very complicated. It's very hard for nameservers that aren't based on BIND to implement it. I should point out that the nameservers that aren't based on BIND have actually been practically immune to the recent DNS attacks...
  4. DNSSEC requires administrators change their behavior significantly. This means retraining and reimplementation of many processes
  5. DNSSEC requires cooperation from all the parents, not just the roots.
  6. DNSSEC requires that clients reject unsigned data

The list goes on. There is another way [dnscurve.org] , but because the BIND company controls a root server and has voting powers, and "because we've already invested so much in DNSSEC", it's unlikely the deadlock will be broken: DNSSEC will continue to suck so badly that nobody will want to use it, and other systems will be blacklisted because they're not DNSSEC.

Re:Stupid, stupid, stupid! (2, Interesting)

mellon (7048) | more than 5 years ago | (#25841857)

1. No, it doesn't. The zone is signed once, and then queries are served out of cache. The server does not have to sign its response to each query.
2. Some firewalls are broken? What else is new?
3. This isn't true. Every name server out there except for djbdns supports dnssec. It took some real work to add that support, sure, but the work is already done. If you want DNSSEC support, you can have it now.
4. Hm. I had to add a single cron job to automatically resign the zone once an hour. Big whoop.
5. Publishing a name in the DNS requires cooperation from the parents. This is a non-issue.
6. No, it doesn't. It requires that validating clients reject unsigned data from zones that are signed, and provides a secure way for those clients to determine whether or not a zone is signed. This is why DNSSEC protects against the Kaminsky bug. If we took this feature out, DNSSEC would be useless.

Re:Stupid, stupid, stupid! (1)

Opportunist (166417) | more than 5 years ago | (#25842095)

Pretty much every other DNS server besides MS supports DNSSEC

Can you see someone with deeeeeeeep pockets doing what they can to keep DNSSEC from becoming popular?

Re:Stupid, stupid, stupid! (0)

Anonymous Coward | more than 5 years ago | (#25842607)

Well, Microsoft 'sort of' support it.

http://technet.microsoft.com/en-us/library/cc728328.aspx

Basically a (current generation) Microsoft DNS server will correctly serve a signed zone. But it won't calculate the signing itself, and it won't validate the signatures on data it finds.

However, at least one source says that [dnssec-deployment.org] Windows 7 will include DNSSEC support. (And reading the linked blog post, Windows 2008 R2 is going to have DNSSEC support, including signing even on Active Directory integrated zones.)

Translation.... (1)

Plekto (1018050) | more than 5 years ago | (#25839045)

"Do nothing"

After applying CIS and corporate-speak filters:

"Aw man, do I have to get up and actually program some code?"

sensationalist nonsense - use 0x20 now! (4, Interesting)

leto (8058) | more than 5 years ago | (#25839207)

Stupid sensationalism.

You can right now use draft-vixie-dnsex-dns0x20 [ietf.org] to protect against the kaminsky bug. This option is already available in the unbound [unbound.net] nameserver.

Talking about totally talking out of context. Fools!

If IETF does something to mitigate, the unbelievers scream "see we dont need dnssec"

If IETF does not do something, the unbelievers scream "you're blackmailing us into dnssec"

Stop whining and put your foot where your mouth is.

Re:sensationalist nonsense - use 0x20 now! (1)

nog_lorp (896553) | more than 5 years ago | (#25840527)

I think Slashdot is more in the believers community. The discussion is more along the lines of "How can we blackmail them into using DNSSEC? Will the Kaminsky bug be effective for that purpose?"

Re:sensationalist nonsense - use 0x20 now! (1)

kelnos (564113) | more than 5 years ago | (#25840697)

I'd be perfectly ok with the IETF "blackmailing" everyone into implementing DNSSEC.

Re:sensationalist nonsense - use 0x20 now! (1)

Spazmania (174582) | more than 5 years ago | (#25841561)

Why is this a troll? 0x20 is in fact one of the proposals for mitigating the Kaminsky weakness.

The idea is: you take each of the letters in the query and randomize the capitalization. The response from the server should have the same randomization. If it doesn't, someone may be trying to hack you so you fall back on a slower, heavier-weight TCP-based DNS query instead. In effect, each letter adds one bit to the 16-bit query ID for the purpose of calculating cryptographic entropy. Combined with source port randomization (which adds another 16 bits of entropy) you force the attacker to spend an impractical amount of resources to briefly forge just one entry.

DNSSuCk? (1)

Nicolas MONNET (4727) | more than 5 years ago | (#25839415)

1. It's very complicated.
2. It's error prone
3. It's not even going to protect you against many attacks
4. It's coming from the people who wrote bind 4.x, the steaming pile of dung that preceded bind 8.x, the rotting carcass that preceded bind 9.x, the most bloated decomposing corpse of a beached whale of the internet
5. Even sendmail looks better than bind nowadays
6. Last I heard you have to give some more money to Verisign. Sigh.
7. It took them, what, 12 tries to get it "right"? I mean last time they said it was going to be the right one. How do we know this time it's good?

Re:DNSSuCk? (1)

hardaker (32597) | more than 5 years ago | (#25840177)

You'd have to back up many of those claims as at least half of them don't make sense or are inaccurate. Troll anyone?

Re:DNSSuCk? (1)

mrsbrisby (60242) | more than 5 years ago | (#25841139)

1. Have you looked at BIND's implementation of DNSSEC? It's thousands of lines of code alone.
2. See #1.
3. RFC4033: DNSSEC (deliberately) doesn't provide confidentiality; RFC 4033: DNSSEC does not protect against denial of service attacks.
4. The bind people claim that BIND9 was written by "a whole new set of people" but at least thirteen of the developers have been identified to work on both [cr.yp.to] .
5. I'm leaving this one alone.
6. CA certificates were planned for an earlier incarnation of DNSSEC
7. I don't think this requires clarification, but this pdf [64.233.169.132] indicates that the IETF started DNSSEC in 1993.

Do you actually check? Or do you just call people trolls who you don't agree with?

Misreported (5, Informative)

Spazmania (174582) | more than 5 years ago | (#25839419)

I was in the meeting. As I recall, one gentleman, I'll repeat that, one gentleman from the audience of a few hundred got up and expressed the opinion that we should do nothing so as to spur DNSSEC deployment.

There was rather more consensus for the view that we should avoid making quick hacks that might obstruct DNSSEC deployment since DNSSEC is currently the only approach on the table that we're reasonably sure ends the problem.

Re:Misreported (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25839771)

Here is my humble opinion.

Fix this bug, then set a date where everybody has to move to DNSSEC and IPV6. Let's say 01/01/2010.

Make it mandatory, or else...

Then be done once and for all with this old tech.

Re:Misreported (1)

LingNoi (1066278) | more than 5 years ago | (#25840931)

or else what?

Re:Misreported (1)

Idiomatick (976696) | more than 5 years ago | (#25841269)

they cant use the internet. make it not backwards compatible....

Re:Misreported (1)

Lost Race (681080) | more than 5 years ago | (#25841721)

What internet? All the hosts that still support legacy DNS will still be able to talk to each other, and anybody can provide a legacy DNS root (there are already many alternatives to the "official" DNS root). As for IP version, any interchanges that provide IPv4 routing will allow communication between IPv4-only hosts, so there will still be large fragments of the current Internet reachable through IPv4 -- perhaps nearly all of it via extended and circuitous routes. Do you think anybody can exert enough influence to force every interchange to stop IPv4 routing and block legacy DNS packets?

Re:Misreported (2, Interesting)

pawal (6862) | more than 5 years ago | (#25839939)

I was also in this meeting. One of the following comments (from whom exactly, I don't remember) was that all of the DNS namespace will never be signed using DNSSEC, there will for a very long time if not always, be gaps in the namespace that won't be signed at all.

There are also other reasons to run an unsigned zone for shorter times, but I won't go into details about that.

So we should probably strengthen the DNS protocol in other ways than using DNSSEC, but those improvements must not be ugly hacks.

Re:Misreported (2, Interesting)

Chris Burkhardt (613953) | more than 5 years ago | (#25840009)

Is DJB's DNSCurve [dnscurve.org] a viable solution?

Re:Misreported (1)

kelnos (564113) | more than 5 years ago | (#25840719)

I'd avoid using "DJB" and "viable solution" in the same sentence.

But that's just personal bias.

Re:Misreported (1)

spinkham (56603) | more than 5 years ago | (#25840899)

Yes, but not more then DNSSEC, which is a published, widely implemented, and tested system.

DNSCurve trades off more compute resources and the need to have the signing key on the public DNS server to get encrypted DNS, while DNSSEC has a lower server compute load and can store the signing keys off the server, but communicates in the clear.

It's hard to make a case for the need to protect the DNS traffic from sniffing, the threat is modification, not sniffing.

I would like to see elliptic curve crypto standardized and used in DNSSEC as it will significantly save on the traffic needed, but that is something that can be easily changed later. DNSSEC is very extensible and designed with the future in mind.

Re:Misreported (2, Interesting)

mrsbrisby (60242) | more than 5 years ago | (#25841213)

Yes, but not more then DNSSEC, which is a published, widely implemented, and tested system.

I disagree. DNSSEC isn't widely implemented, and the widest test [64.233.169.132] had numerous problems.

DNSCurve is 100% compatible with DNS. There's nothing a firewall could do that would be compatible with DNS that is incompatible with DNSCurve.

DNSSEC is not.

DNSCurve trades off more compute resources and the need to have the signing key on the public DNS server to get encrypted DNS, while DNSSEC has a lower server compute load and can store the signing keys off the server, but communicates in the clear.

DNSCurve protects against denial of service attacks [dnscurve.org] . It requires far less compute-power than DNSSEC.

It's hard to make a case for the need to protect the DNS traffic from sniffing, the threat is modification, not sniffing.

Rubbish. Even an amateur cryptographer would tell you that the more you know about the message, the easier it is to break it. Confidentiality protections reduce the amount of knowledge, and thus protect against attacks that are yet unknown.

I would like to see elliptic curve crypto standardized and used in DNSSEC as it will significantly save on the traffic needed, but that is something that can be easily changed later. DNSSEC is very extensible and designed with the future in mind.

I don't think you know what you're talking about.

Re:Misreported (1)

pawal (6862) | more than 5 years ago | (#25842015)

The notion that DNSSEC has had a lot of problem (and you take "the widest test" as data for it!) it not true. .SE has had _one_ major problem with DNSSEC and that was due to a bug in BIND which caused some equipment to fail. (The bug was that BIND set the AD bit by mistake, it was promptly fixed.)

Fact is that we have had no problems since, and we now expect a fast rollout. The major problem now is that there is still a lack of tools, not only for TLDs, but also hosting companies and other large nameservice providers.

I have not seen any large deployment of DNSCurve, and I know for a fact that NSD, BIND, Unbound and other major DNS software does not implement DNSCurve...

Re:Misreported (2, Informative)

spinkham (56603) | more than 5 years ago | (#25842043)

Yes, but not more then DNSSEC, which is a published, widely implemented, and tested system.

I disagree. DNSSEC isn't widely implemented, and the widest test [64.233.169.132] had numerous problems.

DNSSEC is currently deployed live in multiple countries, .gov and .arpa are now signed (but only for testing purposes at the moment). Yes, the number of DNSSEC hosts is only in the low 5 digits, but that's still way more then DNSCurve. 11 vendors have DNSSEC compatible DNS servers, which I believe is 11 more then DNSCurve. DNSCurve would have to be significantly better in order to garner support at this stage, and I'm not seeing it.

DNSCurve is 100% compatible with DNS. There's nothing a firewall could do that would be compatible with DNS that is incompatible with DNSCurve.

DNSSEC is not.

This is a valid point. Only about 1/4 of recently tested home routers allowed DNSSEC traffic. It's also a problem that is trivial to solve in the long term. Once DNSSEC is deployed, routers will follow. Realistically however, all home routers will be DNSSEC capable before Windows can deal with the DNSSEC data. DNSSEC can still make policy decisions at the ISPs recursive resolver before that time however.

DNSCurve trades off more compute resources and the need to have the signing key on the public DNS server to get encrypted DNS, while DNSSEC has a lower server compute load and can store the signing keys off the server, but communicates in the clear.

DNSCurve protects against denial of service attacks [dnscurve.org] . It requires far less compute-power than DNSSEC.

Strange that the link you send doesn't mention DOS attacks at all.
DNSSEC requires 0 more compute power, but does increase network traffic. DNSSEC can be extended to use ECC instead of RSA to reduce the network overhead, with NO computational overhead.

I would like to see elliptic curve crypto standardized and used in DNSSEC as it will significantly save on the traffic needed, but that is something that can be easily changed later. DNSSEC is very extensible and designed with the future in mind.

I don't think you know what you're talking about.

Oh? Read RFC 4034 [ietf.org] , then get back to me. Elliptic curve crypto already has a specified algorithm type, listed in appendix A.1. Unfortunately, the exact format hasnt been standardized yet. There are 245 more unassigned crypto specifications available for future use, I'd call that extensible.

DNSCurve does have some good ideas since it was designed to be easy to deploy, while DNSSEC deployment frankly sucks. DNSSEC is designed by committee,and it shows. On the other hand, it has many future-proof features like the ability to upgrade the crypto used in case RSA, DSA, ECC, or any other scheme falls like a house of cards, or simply need to be made longer in order to survive attacks.

If DNSCurve was proposed 5 years ago, it would have had a good chance of becoming the standard. Now, frankly, it's too late. Most of the major DNS servers support DNSSEC, .gov is currently signed and all US government sites must use DNSSEC by next year, the root servers and reverse .arpa domains have DNSSEC testbeds, Comcast has deployed their dnssec test servers. The political problems of who holds the root keys will be solved soon and DNSSEC will be live. Whether it takes off or not is a question for the market to decide.

Emphasis on *amateur* (3, Interesting)

jonaskoelker (922170) | more than 5 years ago | (#25842811)

Even an amateur cryptographer would tell you that the more you know about the message, the easier it is to break it.

And a professional cryptographer would tell you to use a signature scheme that is provably secure (under standard cryptographic assumptions) against known plaintext signature forgery, and use a key big enough to satisfy you. Heck, you do all the crypto off-line, so you can pick a big one.

Confidentiality protections reduce the amount of knowledge, and thus protect against attacks that are yet unknown.

Prove the security of your signature scheme in the Universal Composability model and it's secure against all attacks, known and unknown.

I don't think you know what you're talking about.

Oh the iro... No, actually, you _do_ know what you're talking about: amateur cryptography.

DNSCurve protects against denial of service attacks [link]

So to back up your claim, you post a link to someone making the same claim. Now I'm convinced...

It requires far less compute-power than DNSSEC.

Yes, but it requires it on-line. It also requires caching keys for your clients unless you want to double your in- and outbound packet load.

Read the page about DNSCurve. It says "DNSCurve and DNSSEC have complementary security goals. If both were widely deployed then each one would provide some security that the other does not provide."

They're, taken at the word, not meant to replace each other.

Re:Misreported (1)

j h woodyatt (13108) | more than 5 years ago | (#25841751)

On the other hand, the emerging consensus in the BEHAVE and SOFTWIRE groups appears to be that port randomization isn't beneficial enough in mitigating the general class of port spoofing attacks to warrant rejecting on that grounds alone the various schemes in play for allowing service providers to aggregate multiple subscribers behind the same public IPv4 address while maintaining the network address translation at the subscriber site by slicing up the public port range available to each site.

Don't worry. I'm sure the robots will save us all in the end.

Risk/Reward, other options (1)

gschwim (413230) | more than 5 years ago | (#25840199)

Risk/reward also needs to be considered as part of this. The move to DNSSEC may itself be straightforward (emphasis on "may), but it does stand to increase overall DNS bandwidth and use of other resources throughout the global DNS infrastructures. Service providers are sure to look at this and wonder what they're getting out of the deal for their added costs.

One thing to consider as well is that DNS is not intended to be an authentication of a site you are visiting. It seems to me there are other methods of site validation (SSL/Certs).

Minneapolis? (1)

Kohath (38547) | more than 5 years ago | (#25840459)

We're trusting Internet security to people who don't know any better than to schedule meetings in Minneapolis in the winter. It's 17 degrees and very windy out right now.

Re:Minneapolis? (3, Funny)

Al Dimond (792444) | more than 5 years ago | (#25840693)

I don't know much about this sort of thing, but I bet it's relatively cheap to book in cold-weather cities in the winter.

As a side benefit, it annoys Californians. Win all around.

Re:Minneapolis? (3, Interesting)

Spazmania (174582) | more than 5 years ago | (#25841481)

Minneapolis has a "Skyway." [downtownmpls.com] Basically, many of he buildings downtown are connected via heated walkways between the second floors. These second floors form literally miles and miles of indoor pedestrian mall. The Hilton where the conference is held is connected to it.

So basically you can go everywhere without having to ever go outdoors. And we have a gig-e Internet link for the duration of the conference. Its computer geek heaven.

Re:Minneapolis? (3, Interesting)

mellon (7048) | more than 5 years ago | (#25841883)

Eh, the whole downtown is covered in habitrails, so you can walk from building to building in short sleeves, because you don't ever have to go outside. It's kind of like living on a really big space station, only with gravity.

It was kind of cold in my hotel room, though.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...