Firms Tackle Security Flaw In Web Addressing System
Mark Andrews
Mark_Andrews at isc.org
Thu Jul 10 23:59:19 UTC 2008
> Before you get too carried away with congratulations, please realize
> that these patches only make the affected implementations more
> *resilient* to the attack. They don't actually *fix* the problem.
>
> The true fix is to implement DNSSEC Internet-wide, but the DNSSEC
> protocol extensions have been mired in the standards process for over a
> decade, and, even if complete standards were published tomorrow, it
> would still take years for administrators to implement, due to their
> complexity, the steep learning curve, and the additional resource
> requirements (which may require server and/or network upgrades).
I can do better than tomorrow. They were published 3 years
ago. All current versions of named implement them.
Network Working Group R. Arends
Request for Comments: 4035 Telematica Instituut
Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein
3755, 3757, 3845 ISC
Updates: 1034, 1035, 2136, 2181, 2308, 3225, M. Larson
3007, 3597, 3226 VeriSign
Category: Standards Track D. Massey
Colorado State University
S. Rose
NIST
March 2005
Protocol Modifications for the DNS Security Extensions
DNSSEC is NOT complex to deploy. There is NOT a steep
learning curve. And while DNSSEC does use more resourse
most nameservers could turn it on and not notice.
http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
I've helped teach DNSSEC to engineers who have never run a
nameserver until a few days before. Just use the defaults.
They are reasonable for most end systems.
You can debug DNSSEC deployment problems with "dig" and
"date -u".
"dig" for delegation problems.
* Does the ID field in the DS record match the DNSKEY's ID, yes or no?
"date" for expired signature problems.
* Is the current date between the two dates in the RRSIG, yes or no?
SE, BR, PR and BG are signed.
ORG is in the process of getting signed.
It's real. Its happening *now*.
Mark
> brought to light, and countermeasures developed and deployed, for at
> least the next few years. This is by no means the end of the story, just
> another chapter in a long saga.
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list