Kaminsky embraces DNSsec, reluctantly
- By William Jackson
- Mar 06, 2009
Dan Kaminsky, director of penetration testing at IOActive, got a lot of attention last year when he discovered a flaw in the Domain Name System, which underlies the Internet, that could allow poisoning of DNS caches. Since then, he said, he has become a believer in the DNS Security Extensions (DNSsec) for digitally signing DNS servers so that queries and responses can be trusted.
“I’ve never been a DNSsec supporter,” he said at the recent Black Hat DC security conference in Arlington, Va. But nothing scales like DNS, he said, including security tools. So he sees no other solution but to use DNSsec.
That doesn’t mean he’s happy about it. He said DNSsec is too complex to implement and administer, sentiments shared by many who have worked with the technology. But help is on the way as vendors develop appliances to automate the processes that generate and update keys and do the signing.
In the meantime, 25 percent of DNS servers have not been updated with the quick-fix patch issued last year for the vulnerability, and stealthy exploits have appeared. Kaminsky estimated that 1 percent to 3 percent of unpatched servers have been poisoned.
It’s never too late to patch your servers, and it’s easier than implementing DNSsec.
William Jackson is a Maryland-based freelance writer.