New tool to make child's play of DNSSEC signatures
Security expert Dan Kaminsky has announced Phreebird, an easy-to-use tool set for creating digital signatures based on the DNS Security Extensions (DNSSEC). Talking to The H's associates at heise Security, Kaminsky said: "For domain administrators, Phreebird drastically simplifies the use of DNSSEC." Apparently, admins don't need to worry about configurations and can simply "enable DNSSEC, and all their zones are signed in an instant." The tool reportedly also allows ISPs to sign all their customers' domains in one go.
The DNSSEC technology encrypts DNS responses via crypto keys which allow recipients to verify the authenticity of a message and a sender's status as a trusted link in the DNSSEC chain. Once fully established on all levels of the hierarchical DNS, PCs can, for instance, use the root key to ensure that replies are trustworthy down to the signed end user domain. This approach is to prevent such manipulations as cache poisoning attacks.
Only a few technical details about Phreebird 1.0 have so far become available. Kaminsky said that the tool isn't ready for production use. "The community of security experts hasn't sufficiently hacked away at Phreebird yet," explained Kaminsky. A report by Dark Reading says that testers initially need to register a test.org domain at GoDaddy.
In terms of the elaborate regular key renewals, Kaminsky said: "There has been too much emphasis on key renewals, and it literally makes up 95% of the technology's implementation costs. However, one of the next few versions will also support automatic key renewals in a similar 'no drama' way."
Phreebird, or rather the Phreeload add-on, is also ahead of its time in another respect: it can replace X.509 certificates in OpenSSL with DNSSEC signatures. The idea of choosing the hierarchically signed DNS as a certification instance and using DNSSEC signatures to obtain consistent certificates has also been discussed at length by the Internet Engineering Task Force (IETF).
(Monika Ermert / trk)