uncompiled.com

Comcast unveiled on Tuesday an aggressive plan to deploy new DNS security mechanisms that are designed to protect Web site operators and consumers from a specific type of hacking attack that involves hijacking Web traffic and redirecting it to bogus sites.

In a blog post, Comcast said it has deployed DNS Security Extensions — dubbed DNSSEC — throughout its nationwide network and will immediately make validating servers available to any of its customers that want to experiment with this emerging security technique.

In addition to this public trial of DNSSEC validation services, Comcast says it will digitally sign all of its own domain names — more than 5,000 in total — using DNSSEC by the first quarter of 2011.

By the end of 2011, Comcast says it will have production-quality DNSSEC resolution services available to all of its business and residential customers.

“There is often talk about a chicken-and-egg sort of problem with DNSSEC. People don’t want to sign their own domains with DNSSEC until people are validating signatures,” says Jason Livingood, Executive Director of Internet Systems Engineering at Comcast. “We want to explain how we as an ISP have a road map for validating signatures with DNSSEC.”

DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to authenticate their domain names and corresponding IP addresses using digital signatures and public-key encryption. When DNSSEC is fully deployed, Internet users will be able to verify that the Web sites they visit are digitally signed.

Comcast is believed to be the first U.S. carrier to announce plans to support resolution of DNSSEC queries for its customers as well as to sign its own domain names using DNSSEC.

“There are no large U.S. ISPs that have been publicly resolving and signing using DNSSEC in a large trial. But there are lots of people doing small little tests of DNSSEC,” says Paul Hoffman, Director of the VPN Consortium and an active participant in DNSSEC standards development work by the Internet Engineering Task Force.

Hoffman says until now no U.S. carrier has committed to DNSSEC resolution, which could be a stumbling block to DNSSEC deployment.

“Many people have been worried that there would be a lot of people signing their domain names, and no one checking for the resolution,” Hoffman says. “A major ISP doing both halves of the equation with DNSSEC is a big deal.”

DNSSEC is a hierarchical system, and it requires authentication at every step in the process of matching a domain name with the corresponding IP address. In order for a user to receive an authenticated response from a popular Web site such as www.amazon.com, DNSSEC needs to be deployed on the Internet’s root servers, the .com domain servers operated by VeriSign, and the DNS servers operated by Amazon or its Web-hosting company. Consumers who visit Amazon’s Web site also need their ISPs to validate the digital signature they receive.

DNSSEC is in the process of being deployed across the Internet’s infrastructure. The DNS root servers will be signed in July, and VeriSign has committed to supporting DNSSEC on the .com and .net servers by early 2011. The U.S. federal government is deploying DNSSEC across the .gov domain, and the Public Interest Registry is supporting DNSSEC in .org.

Once the DNS root servers as well as popular top-level domains such as .com and .net are signed, DNSSEC is expected to be widely adopted by Web site operators such as Amazon.

Until now, U.S. ISPs have been slow to commit to DNSSEC. That’s why Comcast’s DNSSEC announcement is significant.

“The intention of the trial is to see what things [happen] operationally with DNSSEC and to get ready to do this for the entire customer base once the root is signed and once the major top-level domains are signed,” Livingood says.

Comcast said its public trial of DNSSEC includes immediate availability of DNSSEC validating servers using an Internet addressing and routing scheme known as Anycast.

Comcast has 12 sites across its network that process and cache DNS queries, and all 12 of these locations will handle DNSSEC resolution during the public trial.

“Our subscribers should be able to expect the same level of service for our DNSSEC servers as with our regular DNS servers,” Livingood says. He added that “the critical difference with this trial is that DNSSEC will be on the servers that are very close to the customers just as the nomral DNS servers are so they won’t see a performance hit when they are using these on a trial basis.”

Until the DNS root servers are signed, Comcast will use what’s called a trust anchor repository to validate DNSSEC queries at the top of the DNS tree. Comcast is using IANA’s trust anchor repository for its public DNSSEC trial.

Comcast is promising an easy transition to production-level DNSSEC resolution services for its customers.

“When we turn on DNSSEC for all of our customers nationally in 2011, it will happen automatically,” Livingood says. “We will have tested it, and it will be seamless. People will not have to change their IP addresses. It will all occur behind the scenes.”

Comcast also revealed its roadmap for signing its own domain names by March 2011. Comcast already has end-to-end DNSSEC validation on several domains including www.comcast.org, www.mycomcast.org and www.comcastbusiness.org .

“We have 5,000 top-level domains that we manage like Comcast.net that we’re talking about signing,” says Chris Griffiths, manager for high-speed Internet engineering at Comcast.

Comcast is using Nominum’s authoritative DNS software for its DNSSEC trial and deployment.

“Comcast is one of Nominum’s largest DNS customers and has long been a model for the industry on how to do DNS right,” Nominum said in a statement. “Their plan to deploy our DNSSEC solution to combat cache poisoning and help mitigate other online threats is a significant milestone in the evolution of DNS technology and will help make the Internet a safer place for everyone.”

Comcast said that the cost of deploying DNSSEC for both resolving queries and signing its domains is minimal.

“It’s not a huge investment,” Livingood says. “We upgraded the hardware on the servers in the past six months to be able to handle the computational load for signing this number of domains. But it hasn’t required a substantial investment, although we have been working closely with our vendors to make sure the tools were easy to use and that it was not an onerous process.”

Comcast has been experimenting with DNSSEC since 2008, when a high-profile flaw in the DNS — commonly known as the Kaminsky Bug — was revealed. DNSSEC is the only long-term fix for preventing Kaminsky-style attacks.

“Back then, we started working on all the operational issues of how difficult it is to sign zones, how difficult it is to do key roll-over and what are the challenges related to validating domains,” Livingood says. “We sent a lot of feedback to the vendors we use…We think we’re at the stage where a lot of this stuffy is ready to use.”

Comcast is hoping that its public trial of DNSSEC resolution services and its commitment to signing its own domains will prompt other carriers to follow suit.

“What we’re really trying to do is announce our own plans so that we can be a catalyst for others to take action and get serious about DNSSEC,” Livingood says. “We’re trying to move the Internet community ahead on DNSSEC.”

Comcast’s residental and business customers can learn more about its DNSSEC trial by visiting www.dnssec.comcast.net.

Source

Internet engineers continue to enhance Internet security with the release of OpenDNSSEC, a tool which simplifies the process of signing one or more zones with DNSSEC. OpenDNSSEC handles the entire process, including secure key management and rollover issues. With OpenDNSSEC, fewer manual operations are needed by the operator.

OpenDNSSEC ensures that all the steps in signing process are done in the correct order and at the right time, making sure that nothing breaks. The issue of storing the private keys associated with DNSSEC signing has been handled using so-called HSMs (Hardware Security Modules), so that the private keys can not be leaked to an unauthorized third party.

OpenDNSSEC works in all Unix-like operating systems and is suitable both for those who will only sign a single large zone (such as top-level domains) and those who have many small zones (e.g. web hotels, ISPs).

Developed by industry leaders including .SE (The Internet Infrastructure Foundation), NLNetLabs, Nominet, Kirei, SURFnet, SIDN and John Dickinson, OpenDNSSEC will seamlessly integrate domain name security extensions (DNSSEC) into already existing IT systems without the need for organizations to change their infrastructure.

OpenDNSSEC has some known issues, but they will be fixed in a future release:

* Auditor slow for large zones
* KSK rollover requires manual timing
* Too slow when handling massive number of zones.

Source

Makers of Bind have warned of a security vulnerability in versions of the domain name resolution application that could allow attackers to trick servers into returning unauthorized results.

The bug in the Berkeley Internet Name Domain program surfaces only when the DNSSEC security implementation is enabled and the name server accepts queries from the internet at large, a designation known as recursive. The combination of name servers being both recursive and using DNSSEC to validate records is rare, according to this advisory from the Internet Systems Consortium, which maintains Bind.

Source

Internet security experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet’s DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims.

According to research set to be released in the next few days, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an “open recursive” or “open resolver” system. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. “The two leading culprits we found were Telefonica and France Telecom,” he said.

In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu.

Though he hasn’t seen the Infoblox data, Georgia Tech Researcher David Dagon agreed that open recursive systems are on the rise, in part because of “the increase in home network appliances that allow multiple computers on the Internet.”

“Almost all ISPs distribute a home DSL/cable device,” he said in an e-mail interview. “Many of the devices have built-in DNS servers. These can sometimes ship in ‘open by default’ states.”

Because modems configured as open recursive servers will answer DNS queries from anyone on the Internet, they can be used in what’s known as a DNS amplification attack.

In this attack, hackers send spoofed DNS query messages to the recursive server, tricking it into replying to a victim’s computer. If the bad guys know what they’re doing, they can send a small 50 byte message to a system that will respond by sending the victim as much as 4 kilobytes of data. By barraging several DNS servers with these spoofed queries, attackers can overwhelm their victims and effectively knock them offline.

DNS experts have known about the open recursive configuration problem for years, so it’s surprising that the numbers are jumping up.

Source

Preparations for securing the domain name system root zone using the DNS Security Extensions (DNSSEC ) protocol are entering a key phase. At the 76th meeting of the Internet Engineering Task Force (IETF) in Hiroshima, the design team from VeriSign, the internet administration authority ICANN and the US NTIA presented the strict security conditions under which the various keys required will be generated, held and renewed. IETF developers expressed concerned about the lack of channels for both explaining the DNSSEC rollout, scheduled to commence in January, to ISPs and for collecting reports of anything untoward from the ISPs.

In October, ICANN and VeriSign surprised many observers with their proposed timetable for DNSSEC root zone signing. Signatures will be used internally from as early as 1st December and the first root server will serve the zone to the outside world from January. Cryptographically secured DNSSEC signatures are intended to prevent DNS information from being changed en-route from sender to recipient. If a response comes from the wrong domain, this will be revealed by checking private against public keys.

Signing the root zone is necessary to ensure that there is an unbroken chain of trust running right through the entire domain name system when converting domain and host names to IP addresses. Some top level domains, including .se and .org, have already signed their zones. Since the changes to the DNS are considerable and errors could knock out big chunks of the internet, the roll-out is to take place a step at a time. One by one, following the sequence L, J, M, I, D, K, etc., root servers will start to issue signed responses from January. The last server will be A, scheduled for May. IETF developers are warning that leaving A to last is a bad idea, as it promotes the long-obsolete myth that A is something special.

Source