Firms Tackle Security Flaw In Web Addressing System

Mark Andrews Mark_Andrews at isc.org
Thu Jul 10 23:59:19 UTC 2008 

> Before you get too carried away with congratulations, please realize 
> that these patches only make the affected implementations more 
> *resilient* to the attack. They don't actually *fix* the problem.
> 
> The true fix is to implement DNSSEC Internet-wide, but the DNSSEC 
> protocol extensions have been mired in the standards process for over a 
> decade, and, even if complete standards were published tomorrow, it 
> would still take years for administrators to implement, due to their 
> complexity, the steep learning curve, and the additional resource 
> requirements (which may require server and/or network upgrades).

	I can do better than tomorrow.  They were published 3 years
	ago.  All current versions of named implement them.
 
Network Working Group                                          R. Arends
Request for Comments: 4035                          Telematica Instituut
Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
           3755, 3757, 3845                                          ISC
Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
         3007, 3597, 3226                                       VeriSign
Category: Standards Track                                      D. Massey
                                               Colorado State University
                                                                 S. Rose
                                                                    NIST
                                                              March 2005


         Protocol Modifications for the DNS Security Extensions

	DNSSEC is NOT complex to deploy.  There is NOT a steep
	learning curve.  And while DNSSEC does use more resourse
	most nameservers could turn it on and not notice.

	http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf

	I've helped teach DNSSEC to engineers who have never run a
	nameserver until a few days before.  Just use the defaults.
	They are reasonable for most end systems.

	You can debug DNSSEC deployment problems with "dig" and
	"date -u".

	"dig" for delegation problems.
	* Does the ID field in the DS record match the DNSKEY's ID, yes or no?

	"date" for expired signature problems.
	* Is the current date between the two dates in the RRSIG, yes or no?

	SE, BR, PR and BG are signed.
	ORG is in the process of getting signed.

	It's real.  Its happening *now*.

	Mark

> brought to light, and countermeasures developed and deployed, for at 
> least the next few years. This is by no means the end of the story, just 
> another chapter in a long saga.
> 
>                                                                          
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list