Open-source project aims to makes secure DNS easier

The software makes signing and key management simpler for implementing DNSSEC

A group of developers has released open-source software that gives administrators a hand in making the Internet's addressing system less vulnerable to hackers.

The software, called OpenDNSSEC, automates many tasks associated with implementing DNSSEC (Domain Name System Security Extensions), which is a set a set of protocols that allows DNS (Domain Name System) records to carry a digital signature, said John A. Dickinson, a DNS consultant working on the project.

DNS records allow Web sites to be translated from a name into an IP (Internet Protocol) address, which can be queried by a computer. But the DNS system has several flaws dating from its original design that are being increasingly targeted by hackers.

By tampering with a DNS server, it's possible for a user to type in the correct Web site name but be directed to a fraudulent site, a type of attack called cache poisoning. That's one of many concerns that is driving a movement for ISPs and other entities running DNS servers to use DNSSEC.

With DNSSEC, DNS records are cryptographically signed, and those signatures are verified to ensure the information is accurate. Adoption of DNSSEC, however, has been held back by both the complexity of implementation and a lack of simpler tools, Dickinson said.

To sign DNS records, DNSSEC uses public key cryptography, where signatures are created using a public and private key and implemented on a zone level. Part of the problem is management of those keys, since they must be refreshed periodically to maintain a high level of security, Dickinson said. A mistake in managing those keys could cause major problems, which is one of the challenges for administrators.

OpenDNSSEC allows administrators to create policies and then automate managing the keys and signing the records, Dickinson said. The process now involves more manual intervention, which increases the chance for errors.

OpenDNSSEC "takes care of making sure that zone stays signed properly and correctly according to the policy on a permanent basis," Dickinson said. "All of that is completely automated so that the administrator can concentrate on doing DNS and let the security work in the background."

The software also has a key storage feature that lets administrators keep keys in either a hardware or security software module, an additional layer of protection that ensure keys don't end up in the wrong hands, Dickinson said.

The OpenDNSSEC software is available for download, although it is being offered as a technology preview and shouldn't be used yet in production, Dickinson said. Developers will gather feedback on the tool and release improved versions in the near future.

As of earlier this year, most top-level domains, such as those ending in ".com," were not cryptographically signed, and neither were those in the DNS root zone, the master list of where computers can go to look up an address in a particular domain. VeriSign, which is the registry for ".com," said in February it will implement DNSSEC across top-level domains including .com by 2011.

Other organizations are also moving toward using DNSSEC. The U.S. government has committed to using DNSSEC for its ".gov" domain. Other ccTLDs (country-code Top-Level Domains) operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg), are also using DNSSEC.

Security experts argue that DNSSEC should be used sooner rather than later due to existing vulnerabilities in DNS. One of the more serious ones was revealed by security researcher Dan Kaminsky in July 2008. He showed that DNS servers could be quickly filled with inaccurate information, which could be used for a variety of attacks on e-mail systems, software updating systems and password recovery systems on Web sites.

While temporary patches have been deployed, it's not a long-term solution since it just takes longer to perform an attack, according to a white paper published earlier this year by SurfNet, a Dutch research and education organization. SurfNet is among OpenDNSSEC's backers, which also includes the ".uk" registry Nominet, NLnet Labs and SIDN, the ".nl" registry.

Unless DNSSEC is used, "the basic flaw in the Domain Name System -- that there is no way to ensure that answers to queries are genuine -- remains," the paper said.

Tags OpenDNSOpenDNSSECsecurityDNSDNSSEC

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?