RSSUS government to consider encrypting root zone DNS hosts
By Scott M. Fulton, III | Published November 24, 2008, 6:49 PM
The public comments period has officially ended for the NTIA's consideration of requiring domain name servers within the Internet's root zone to, at long last, encrypt their communications. Could there really be any opposition?
For well over a decade, the Internet has had available to it a security measure called DNSSEC, that would enable DNS hosts to request that communications between each other be encrypted, using public key cryptography. That way, all DNS messages could be traced back to a verifiable source, conceivably thwarting any possibility of a cache poisoning nightmare on the order of the one that security research Dan Kaminsky warned about last summer.
As with all major upgrades to a platform infrastructure, the big problem is rolling out changes in a way that's downwardly compatible with the older system. With a security upgrade, that's a problem because in any situation where security is an option, admins may choose the easiest system to control, and malicious users will always exploit the insecure option.
But last month, Microsoft revealed it planned to support DNSSEC with its next versions of Windows, including Windows 7. That could be a major boost for the long-standing security option's chances of being integrated into the infrastructure of the Internet, now that the National Telecommunications and Information Administration is considering public comments with respect to a proposal to implement DNSSEC at the root zone of the Internet.
"Over the years, a number of vulnerabilities have been identified in the DNS protocol that threaten the accuracy and integrity of the DNS data and undermine the trustworthiness of the system," reads an NTIA statement last month. "In particular, due to technical advances, vulnerabilities in the existing DNS have recently become easier to exploit. Malicious parties may use these vulnerabilities to distribute false DNS information, and to improperly re-direct Internet users. DNSSEC was developed to mitigate these vulnerabilities. Accordingly, the Department is exploring the deployment of DNSSEC at the top level of the DNS hierarchy, known as the root zone."
DNSSEC is not a particularly complex system. If you understand public key cryptography, you know that an unshared private key is used to encrypt communications between entities, but a public key that is a mathematical function of the private one, can decrypt them. The fact that it decrypts them serves as proof that the holder of the private key must have authored the communication, so the public key is shared with everyone. DNSSEC enables a DNS host to request a public key from a DNS server -- something the typical DNS server does not provide.
Conceivably, DNSSEC's biggest potential boon has been its ability to harden the security of IPsec, the encryption of all IP packets between server and client...which typically takes place after their DNS names have been resolved. Microsoft has supported IPsec for some time, and has embraced it with the latest Windows Server 2008. But for IP hosts to make use of it, they have to use some makeshift protocol for exchanging their public keys with each other -- a process that, frankly, looks a little obvious to anyone who happens to be sniffing for such transactions. If DNSSEC were in place, those public keys would be returned by the DNS servers instead, enabling hosts to use IPsec with one another without the unsightly social miscues.
BETACHECK
For more:
- RFC 4033: DNS Security Introduction and Requirements.
- "The Basics of DNSSEC" by Ibraham Haddad and David Gordon. From O'Reilly's SysAdmin
- "DNSSEC on Windows 7 DNS client" by Shyam Seshadri. From his Port 53 blog on Microsoft TechNet.
- "Unwitting Collaborators, Part 11: DNS Poisoning and Domain Hijacking, Corrective Actions by Frank Fiore and Jean Francois. From InformIT.
For the last several years, reticence to the idea of deploying DNSSEC has centered around two problems, one being that it's virtually impossible to employ a security standard for the Internet all at once. Assuming that a fallback mode must be supported in the meantime, suppose one DNS host requests a public key, and the server can't respond because it hasn't been upgraded? How should the host handle this sort of failure? Ignoring it, believe it or not, and requesting the domain name data in the clear has been considered as an option.
Another objection is that DNSSEC doesn't actually specify how the root servers themselves will be secured. If you build a fortress with an obviously insecure back door, you're essentially painting a red target on yourself.
In an effort to address these concerns, Microsoft's engineers have worked out a way to merge group policy -- the mechanism already in place for setting rules for how clients behave in a widely deployed network -- with DNSSEC. In a similar fashion to how Active Directory currently works, policies can designate which domain names in a network are only resolvable through DNSSEC, and which subdomains within that domain may be exceptions. This way, there's no obvious fumbling around between DNS hosts over what a public key is and whether one is available.
"The Name Resolution Policy Table (or NRPT for short) is a table of settings and configuration which defines the DNS client's behavior when sending out queries and tells it what to do when receiving responses," wrote Microsoft's DNS program manager, Shyam Seshadri, in a blog post last week. "The NRPT contains settings that pertain to DNSSEC as well as another new Windows 7 technology known as DirectAccess."
When the entire IP session is already completely encrypted and secured, the need to tunnel beneath existing protocols to establish and secure a virtual private network (VPN) completely disappears. At WinHEC 2008 earlier this month, Microsoft premiered this disappearance as DirectAccess, as a future component of Windows Server 2008 R2 and Windows 7, and Microsoft's complete replacement for the VPN.
"DirectAccess in Windows 7 and Windows Server 2008 R2 enhances the productivity of mobile workers by connecting them seamlessly and more securely to their corporate network any time they have Internet access -- without the need to VPN," reads a recent Microsoft marketing page entitled "Windows 7 for the Enterprise." "When IT enables DirectAccess, the whole corporate network file shares, intranet Web sites, and line-of-business applications can remain accessible wherever you have an Internet connection."
If DNSSEC is widely deployed next year both at the very front end of the Internet -- in users' DNS clients on Windows 7 -- and at the very back end infrastructure, there's a good chance that the historical causes for objections to the protocol could be rendered moot.
Perhaps you read 'hosts' and 'between' differently than I do.
Score: 0
|What this is really about is the "as usual" waiting for MS to figure out how to implement it in Windows.
Whereas in Unix, its as complex as:
http://www.dnssec-tools.....php/Installing_on_Unix
Score: 0
|Right... How many millions of Windows users? And you expect them all to drop to a command line and type something? We can't even expect them to click the appropriate yes/no button on the "do you want to install spyware" popup.
And the link you gave includes one link to a non-existent page for optional modules (which many people will click on and be confused about (please don't argue their source of confusion)) and one link to modify their "run time load path" on linux, even though the article is about unix.
So yes, we _are_ waiting for MS to figure out how to implement it in Windows.
Also, the other big question is, "what do we break?" Win95, Win9x, WinME (fine by me), 2K, XP? 2K and older are no longer supported by MS and XP is getting near to end of lifecycle. The pure geek would say "break it all" and force everyone to upgrade (slash switch to *nix) but the reality is that there would be a million calls everyday for people whose computer just suddenly "broke" without them doing anything (especially since some of us previously pirated Windows onto their machine and disabled WUA).
Score: 0
|"2K and older are no longer supported by MS"
2K still is.
Score: 0
|Yawn.
The point you missed is that the issue is easily provided and implemented with the very diverse offerings of UNIX - with a far greater number oriented horizontally with MANY variants than your list of old vertically oriented Windows VERSIONS - and I am sorry if the relation of Linux to UNIX confuses you! LOL!
So yes, the issue is relatively easy to implement in the UNIX realm, while implementation in Windows requires a convoluted workaround. And you nitwit, the link was provided simply to show that the mods already exist - which they do - in the UNIX world - not to provide a step by step tutorial for you.
Thus, the fundamental problem that is holding up the process is waiting for MS to figure out a way to implement it without breaking Windows and its 'anything but well behaved' infrastructure.
And this promises to be a much larger benefit to enterprise backends and servers than to a bunch of individual desktops.
And like I give a sh!t about a bunch of idiots who are running pirated stolen copies of Windows!
Score: 0
|Paul, you uncaring cad! ;-)
You need to show more compassion to those running PIRATED copies of the unsupported OS!
LOL!
Score: 0
|Even they are, aren't they?
I know in theory all pirated copies are unsupported, but I thought there was no Win2000 WGA type thing.
Score: 0
|When a prompt for WGA is given on W2K, it is just skipped.
W2K is in extended support (free security patches only from this point) and that support ends at the earliest on 7/13/2010. After that date you will need to pay MS or a third party for support, and the costs are extremely high.
Microsoft has extended these support deadlines in the past, however, and it probably will if Windows 7 is delayed past Q4 '09.
The great thing about Windows (business OS at least,) is that they have the best support, bar none. 10+ years per OS for ~$120 or so is really a steal...
Score: 0
|Do it.
Score: 0
|About time!!
Score: 0
|