Q&A: DNS inventor Paul Mockapetris

gallery

You’ve mentioned the work you’re doing towards DNSSEC protocols. But most recently, the likes of ENISA (European Network and Information Security Agency) have been also looking at additional network-focused measures, around MPLS and IPv6. How important are these technology areas in bolstering web security as well?

Security people have to realise that if the design mechanisms for DNS are upgraded, the networks will have to do a series of upgrades to keep up. I’m actually speaking at an ENISA workshop in Brussels this week. And while they’re an agency for a political organisation, in reality they share the fact that, while it’s possible to share the art of securing internet applications, to deploy them is far from easy.

It’s not easy to integrate all these new technologies with all applications. And it’s not easy to get that integration to the point where it can be made seamless. In my presentation, I advocate ‘tough love’ for DNSSEC, where we can’t just proclaim success over Kaminsky’s DNS flaw, go away and rest on our laurels. But, instead, we must work on interfacing those patches to every application and migrating to IPv6.

How big a challenge do you feel the tough implementation and integration times ahead will be?

Half of all DNS systems haven’t been upgraded, and that’s including all levels of security, whether it be through 32, 64-bit, cryptographic or other means, leaving the threat of potentially turning whole sections of systems off if they are attacked. There is an issue with who signs the root too.

There’s also a one in 65,000 chance of attack in an unpatched server. This rises to one in four billion in those that have been patched. But attack vectors move very quickly. Our strategy has been to slow down those attacks and to check to understand if an attack is genuine or just a misunderstanding.

Another thing to bear in mind is, if your websites and applications are high value domain targets for spoofers, you can be much more suspicious when allowing them to be updated. You can also only allow certain users to audit changes to a specific domain.

At Nominum, we have more data certified and signed for use for more applications than not. Our users are more comfortable using our DNS database, knowing it’s been digitally signed and secured. This has important potential use in the example of the leery implications around VoIP [voice over IP] browsing because of DNS attacks. But, digital signature technologies in place can help scaling the quality of service. And with the right level of internet security there’s a lot more you can do with other such open ended tools.

Email to a friend

Print this page