In association with heise online

24 March 2010, 14:33

More security for root DNS servers

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Network Globe Teaser From today (Wednesday) at 5pm CET, the K DNS root server operated by the European RIPE internet registry will provide a DNS zone signed with the DNSSEC security protocol. Two hours earlier, the D-Root server operated by the University of Maryland will start returning signed responses. The E-Root server operated by NASA is scheduled to follow in the early evening.

This means that seven of the 13 central root servers which constitute the Domain Name System (DNS) responsible for domain name resolution on the internet will then return signed responses. On the sidelines of the 77th meeting of the Internet Engineering Task Force (IETF) in Los Angeles this week, the Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign and the American National Telecommunications and Information Administration (NTIA) reported that so far the transition has been smooth.

The DNS Security Extensions protocol, called DNSSEC in short, is designed to provide improved DNS security. DNSSEC uses cryptographic signatures to authenticate the responses to DNS queries, which will prevent attackers from forging responses via security holes in the DNS protocol, such as those described by Dan Kaminski (cache poisoning). With this protocol, responses to DNS queries are only accepted as authentic if a public key can be matched with a private key. However, signatures can't be validated during the introductory phase. As a result, initially it will be unlikely that users notice the introduction of DNSSEC on the RIPE root server. While the response packets containing the signatures will be significantly larger, experts say that this doesn't present a problem if the respective resolvers are implemented correctly. For the time being, users will also still be able to access one of the remaining 6 root servers without DNSSEC. ICANN, VeriSign and the NTIA decided on this gradual transition as a precautionary measure.

If everything goes to plan, the public key is to be deployed from the 1st of July. From then on, validation will be possible. Encountering key matching difficulties could then mean that the internet becomes fully or partially inaccessible.

DNSSEC expert Jakob Schlyter of consultancy firm Kirei said the introduction has so far been unproblematic, talking to heise online. Schlyter said finding out whether more queries are now routed through the root servers without DNSSEC will require further analysis and that he was very optimistic about the feasibility of the remaining part of the schedule. However, it is this schedule created by the ICANN / VeriSign / NTIA team which has been criticised in Los Angeles. According to the team's announcement, the regional registrars of signed zones (for example .se or .cz) will be able to deposit their keys starting in May. DNSSEC aims to sign all levels. Some Top Level Domain (TLD) administrators, however, are of the opinion that this announcement was made rather late.

The engineers of UK registry Nominet have advised further caution with the introduction of DNSSEC. Together with their colleagues in Sweden and Australia, they had noted escalations in data traffic starting last summer. An analysis showed that the escalations were connected to the six-monthly key rollovers scheduled for various of the TLDs registered with RIPE. What initially looked like an attack (amplification attack) was actually caused by a software bug in BIND, or rather in dnssec-conf, which contained obsolete information about the source paths for new key material. This triggered endlessly looping DNSKey queries. Roy Arends of Nominet in Los Angeles said the problem has since been solved. However, the expert urgently recommended that the next generation of BIND, BIND 10, be completed as soon as possible. Talking to heise online, Jakob Schlyter emphasised that the intention is to avoid frequent key rollovers for the DNS root zone. (Monika Ermert)

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-962569
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit