[ISN] Secure DNS faces resistance

InfoSec News isn at c4i.org
Thu Dec 8 10:05:56 EST 2005


http://www.cbronline.com/article_news.asp?guid=5CB02292-1149-4657-BA91-3F67AA4C91B5

By CBR Staff Writer
1st December 2005

The deployment of DNSsec, an enhancement to the domain name system
that could protect against certain types of phishing and pharming
attacks, is still facing skepticism and resistance from those who
would be involved in implementing it.

While the vulnerabilities in the DNS are well known, the absence of
widespread attacks, regulations, and proven business models are
holding back DNSsec adoption, speakers here at the ICANN annual
meeting in Vancouver said yesterday.

Speaking during a workshop on the technology, Keith Schwalm of Good
Harbor Consulting, a former US Secret Service agent, said that even
the financial sector, traditional security early-adopters, are not
rushing DNSsec.

"What's important to them is they make this transition logically, and
they are going to be very slow and methodical about it," he said.  
"They have expressed an understanding that it's important to their
business, but it's not at the top of their list."

Regulations such at the latest FFIEC rules that mandate two-factor
authentication in US online banking services by the end of 2006 will
form the focus of the financial services sector's security efforts
over the next 12 months, he said.

DNSsec is designed to add a layer of cryptographic signing to DNS
records, so that when there is an attempt to resolve a domain name to
an IP address, the user can have a higher degree of confidence that
they are receiving the correct answer.

It was yesterday demonstrated to be possible to use cache poisoning to
conduct a man-in-the-middle attack that sends the user to the wrong IP
address, where data can be phished.

It's possible that a web surfer could think they are visiting their
bank or an auction site and hand over their sensitive data, and it
would be impossible to tell they were at a malicious site.

But there are few, if any, well-documented widespread attacks such as
this, and even those in the domain industry are unsure that DNSsec
deployment should be an urgent priority.

"We're still somewhat skeptical about DNSsec, but we want to be
open-minded, we want to learn more," said Paul Diaz of Network
Solutions Inc, one of the largest domain name registrars.

The domain name industry is discussing what drivers for DNSsec
adoption will be, and so far there is little agreement. Will it be
regulation-driven? Consumer-driven? Or driven by online businesses
eager to give customers an extra layer of security.

Several speakers here at the Internet Corp for Assigned Names and
Numbers meeting suggested that adoption could be driven by e-commerce
sites or developers of popular software.

"If Google or MSN or Yahoo said 'We're going to give number one
ranking to anyone who's got DNSsec', the registrars would be in there
like a shot," said Bruce Tonkin, of Melbourne IT Pty Ltd, an
Australian registrar.

"I can envisage browsers that are enabled with capabilities that would
only display domain links that are secured," said Rick Wesson of
Alice's Registry, which has already rolled out a DNSsec test. "It
enables classes of content and classes of service that are delineated
by security zones."

In the absence of those kinds of drivers, registrars are still
pondering whether to start offering DNSsec signing as a value-added
service when people register domain names, but they're not sure there
is either understanding or demand.

"I don't think the market will understand the precise benefits here,
and I don't think the market needs to. We see plenty of examples where
the perception of additional security is enough," said Stuart
Schechter of MIT.

Ram Mohan, chief technology officer of Afilias Ltd, said: "Give it a
name, call it the 'anti-pharming system' then you have the attention
of the business folks".

Schechter pointed to the web server SSL certificate market as an
example, where prices are often wildly different for essentially the
same technology: "A large part of market is willing to pay an
additional $900 just for the VeriSign branding."

The registrar market also deals with razor-thin margins most of the
time, so registrars are keen to figure out whether they will actually
be able to see return-on-investment when they roll out DNSsec.

Adding cryptographic keys to DNS obviously adds costs to the
infrastructure -- cryptographic functions can be CPU-intensive, and
there are additional storage, bandwidth and memory requirements for
handling the keys.

Some registrars talk of adding a "significant" add-on fee for DNSsec
"expert services", while others talk of making domain registration a
case of picking from two services -- a domain name and a "secure
domain name", the latter costing more.

Others in the space talk not about the financial return from
implementing the technology, but from the potential loss that could
arise from not implementing it.

"The answer is not return on investment, but return on risk,"  
Afilias's Mohan said. "How much risk are you willing to take, how much
risk do you want to mitigate, that is the metric that ought to apply."

Afilias is operator of .org, one of the first top-level internet
domains to implement DNSsec. The company's test-bed has been running
for a month and has a handful of domains actively experimenting with
the technology.





More information about the ISN mailing list