CircleID has a comprehensive article on DNSSEC (The DNS Security Extensions): “A Fundamental Look at DNSSEC, Deployment, and DNS Security Extensions” that is worth reading.
The network infrastructure lead was kind of an asshole. He didn’t want to do a DNS upgrade project, but he didn’t want me to either.
After three thwarted attempts I gave up.
My understanding is the non-anycast parts of the projects (earlier phases) are taking place now (involving the very cool DNS Management software from Men and Mice). My current employer needs a DNS tuneup, so maybe I will get a second try at this.
But the most notable thing about DNS is its receding importance.
Firstly, we’re spending more and more time finding things via search. I bookmark things much less than I used to. I don’t type domain names in very often. The standard approach is to Google the approximately right term. If the Google link was a hard-wired IP address or some other naming/indirection system, nobody would really care. AOLers have been bypassing DNS with keywords for years.
DNS is also getting stiff competition from other namespaces. We don’t use DNS to locate people; increasingly we use handles from private IM services like MSN, Skype, AOL, etc.
We don’t use DNS to locate ideas. We’ve gone tag-mad instead.
We don’t use DNS to locate places. We just cut’n’paste the URL from Google Maps or Mapquest.
The author seems to be making the mistake thinking that the usefulness of applications like Skye, Google, and MapQuest implies that DNS (part of the internet infrastructure along with communications networks, shared standards, routing protocols, etc.) is not important.
IP is built on layers. Higher layer applications depend upon proper functioning of lower layer application. This is something the author seems to have forgotten about.
The production of good quality peanuts is still important even though there are many brands of peanut butter to choose from.
SecuriTeam Blog reports that the ISC (which maintains BIND, a common DNS implementation), is setting up Registry called DLV to allow DNSEC to be rolled out now (not waiting for a Root and TLD servers getting signed).This would certainly hope with cache poisoning. I wonder how quickly organizations will make use of this.
DNS is not very sexy and generally does not get much attention in organizations – as long as it works!
"It is well-known that nameservers in the Domain Name System are vulnerable to a wide range of attacks. We recently performed a large scale survey to answer some basic questions about the legacy DNS"
The article approached DNS security from an interesting point of view. It considered the total number of DNS servers involved in a query to get a sense of the scope.
While an organization might use DNS best practices to correctly configure their own immediate DNS servers, that is not sufficient.
Maybe it is time to consider an alternative Simple Internet Name Service (SINS). It might be a good idea for the National Science Foundation to kickstart the idea by announcing a contest with prizes for the top three results. The body of submissions would make a nice starting point for a future SINS.
I realize I left out one of the prudent steps all organizations should enforce as part of their Network Security Policy:
- Only allow your internal clients to talk to your own DNS servers. This negates the situation were they are bot'd and used as part of a DNS DDOS.
- If you have IT support people who may need to do direct DNS queries against other DNS servers on the internet as part of a troubleshooting function, either only allow them explicitly, or set up a test/support machine that allows unfettered DNS queries (but requires explicit access authorization..
- Audit this policy and exceptions to it on a semi-annual basis.