Q&A: DNS inventor Paul Mockapetris
Four months after serious flaws in the internet’s addressing system were proven, its inventor is looking beyond the threats to help bolster web security.
Security people have to realise that if the design mechanisms for DNS are upgraded, the networks will have to do a series of upgrades to keep up. I'm actually speaking at an ENISA workshop in Brussels this week. And while they're an agency for a political organisation, in reality they share the fact that, while it's possible to share the art of securing internet applications, to deploy them is far from easy.
It's not easy to integrate all these new technologies with all applications. And it's not easy to get that integration to the point where it can be made seamless. In my presentation, I advocate tough love' for DNSSEC, where we can't just proclaim success over Kaminsky's DNS flaw, go away and rest on our laurels. But, instead, we must work on interfacing those patches to every application and migrating to IPv6.
How big a challenge do you feel the tough implementation and integration times ahead will be?
Half of all DNS systems haven't been upgraded, and that's including all levels of security, whether it be through 32, 64-bit, cryptographic or other means, leaving the threat of potentially turning whole sections of systems off if they are attacked. There is an issue with who signs the root too.
There's also a one in 65,000 chance of attack in an unpatched server. This rises to one in four billion in those that have been patched. But attack vectors move very quickly. Our strategy has been to slow down those attacks and to check to understand if an attack is genuine or just a misunderstanding.
Another thing to bear in mind is, if your websites and applications are high value domain targets for spoofers, you can be much more suspicious when allowing them to be updated. You can also only allow certain users to audit changes to a specific domain.
At Nominum, we have more data certified and signed for use for more applications than not. Our users are more comfortable using our DNS database, knowing it's been digitally signed and secured. This has important potential use in the example of the leery implications around VoIP [voice over IP] browsing because of DNS attacks. But, digital signature technologies in place can help scaling the quality of service. And with the right level of internet security there's a lot more you can do with other such open ended tools.
In This Article
Navigating the new normal: A fast guide to remote working
A smooth transition will support operations for years to comeDownload now
Leading the data race
The trends driving the future of data scienceDownload now
How to create 1:1 customer experiences at scale
Meet the technology capable of delivering the personalisation your customers craveDownload now
How to achieve daily SAP releases
Accelerate the pace of SAP change to support your digital strategyDownload now