About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

ICANN releases paper on Domain Name Security

Today ICANN releases a paper with the title DNSSEC @ ICANN — Signing the root zone: A way forward toward operational readiness. The paper explains in more detail than earlier documents what ICANN view on signing of the root zone is. I think the key points mentioned in this paper are true, and in general, I think this document is a good read. It is not long, and summarizes what I would call the current view is.

There have been some recent discoveries of threats to DNS. All described for example in CERT VU#800113. More information about these issues has now leaked and we have already some exploit code. For example CAU-EX-2008-0003. We also have data from Austria that show that a too low percentage of resolvers are upgraded. And further that the upgrade of software is not going as fast as one would hope. (Thanks Otmar et al for good work!)

No single detail in the attack is really new, but the combination of things is new, and the situation scares me. The fixes suggested (like upgrading Bind to a version that is secure according to column 29 in the BIND Vulnerability Matrix) is bringing us back to a situation where we thought we where. But the real solution is to digitally sign the data in DNS, and secure the full path between querying client and authoritative server. DNSSEC is today a solution to a large piece of that, but it also have to be deployed.

And the ICANN document just released is because of that good stuff.

Comments are closed.