Kaminsky embraces DNSsec, reluctantly

Dan Kaminsky, director of penetration testing at IOActive, got a lot of attention last year when he discovered a flaw in the Domain Name System, which underlies the Internet, that could allow poisoning of DNS caches. Since then, he said, he has become a believer in the DNS Security Extensions (DNSsec) for digitally signing DNS servers so that queries and responses can be trusted.

“I’ve never been a DNSsec supporter,” he said at the recent Black Hat DC security conference in Arlington, Va. But nothing scales like DNS, he said, including security tools. So he sees no other solution but to use DNSsec.

That doesn’t mean he’s happy about it. He said DNSsec is too complex to implement and administer, sentiments shared by many who have worked with the technology. But help is on the way as vendors develop appliances to automate the processes that generate and update keys and do the signing.

In the meantime, 25 percent of DNS servers have not been updated with the quick-fix patch issued last year for the vulnerability, and stealthy exploits have appeared. Kaminsky estimated that 1 percent to 3 percent of unpatched servers have been poisoned. 

It’s never too late to patch your servers, and it’s easier than implementing DNSsec.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group