Schneier on the DNS vulnerability [LWN.net]

DNS still insecure

Posted Jul 30, 2008 14:45 UTC (Wed) by rfunk (subscriber, #4054) [Link]

It simply hasn't been (known to be) quite this vulnerable before.  At 
least not in a long time.

Nobody uses DNSSEC

Posted Aug 3, 2008 18:45 UTC (Sun) by dps (subscriber, #5725) [Link]

I think the main reasons nobody uses DNSSEC are

1. It is a pain to implement. Not that many people can justify a non-internet connected box
for just signing zones, Some places do have an appropriate infrastructure but these are
generally niche vendors security hardware,

I can see DNSSEC could be implemented with a HSM (Hardware Security Module) with a lot less
hassle. This would be too expensive for most zones because HSMs are for people with serious
money to spend on security and priced accordingly.

2. None of the root zones supports DNSSEC so it is hard to see how secure key records could be
implemented. If .com or another popular zones started using and promoting DNSSEC then I
suspect it would become much more common.

3. Since nobody uses DNSSEC very few resolvers support it anyway. AFAIK glibc does not support
verifying SIG records, so the security benefits are negligible. While this remains true why
implement DNSSEC for your zone?

Until someone with clout implements and pushes DNSSEC I doubt it will be widely implemented.

Nobody uses DNSSEC

Posted Aug 4, 2008 7:20 UTC (Mon) by shane (subscriber, #3335) [Link]

1. It is a pain to implement. Not that many people can justify a non-internet connected box for just signing zones, Some places do have an appropriate infrastructure but these are generally niche vendors security hardware,
I can see DNSSEC could be implemented with a HSM (Hardware Security Module) with a lot less hassle. This would be too expensive for most zones because HSMs are for people with serious money to spend on security and priced accordingly.

While such levels of security may be important if you are hosting a lot of zones, for small sites you can simply put your key on a hard disk. If you are worried about security, you can put it on a USB memory stick, encrypt it, and keep it off-line in a secure location. Only if you are super-paranoid about security do you care about HSM.

2. None of the root zones supports DNSSEC so it is hard to see how secure key records could be implemented. If .com or another popular zones started using and promoting DNSSEC then I suspect it would become much more common.

Several ccTLD already support DNSSEC: .se, .br, .pr, .bg (and the internationalized domain name test domains, for some reason). .org will be signed this year, but probably not accessible to most end users until 2010. :(

Perhaps this recent problem will convince political types to allow the root zone to be signed?

3. Since nobody uses DNSSEC very few resolvers support it anyway. AFAIK glibc does not support verifying SIG records, so the security benefits are negligible. While this remains true why implement DNSSEC for your zone?

I think you are confusing "stub resolvers" with "recursive resolvers". Typically machines on the Internet just send DNS lookups to a recursive resolver, which then tracks down the result. So, the values you see in /etc/resolv.conf will normally point to a couple of servers run by your ISP, and these are the machines that need to support DNSSEC.

These servers typically do support DNSSEC, and only return validated results to the clients.

While of course it would be nice if clients also understood DNSSEC, most caching resolvers do support DNSSEC.

Until someone with clout implements and pushes DNSSEC I doubt it will be widely implemented.

I doubt even then.

The technology does actually prevent the attacks it sets out solve, but it is an open question whether it is deployable.