DNS Security Extensions is supposed to be the technology that helps to secure the Domain Name System, or DNS , against attack. Yet DNSSEC servers aren't always infallible, as a pair of vulnerabilities proved this week.
While it's critical to the operation of the Internet as a whole, DNS came under intense scrutiny in 2008 after security researcher Dan Kaminsky disclosed that it was at risk from a widespread vulnerability. Developing a long-term solution to DNS security problems is what the creation of DNSSEC is all about.
Yet, this week, researchers identified DNSSEC itself as being at risk from a cache-poisoning attack.
Specifically, the widely deployed BIND DNS server's DNSSEC implementation was identified as being at risk from a DNSSEC-validation vulnerability. The ISC (Internet Systems Consortium), which is the lead group behind the development of BIND, has now issued patches for the affected BIND servers.
The newly found DNSSEC issue is the second such flaw to have surfaced in the past three months, with a similar vulnerability having been reported and patched in November.
"As with the previous vulnerability, the risk is that a recursive name server configured to use DNSSEC validation will cache unvalidated responses -- in this case an NXDOMAIN response," Cricket Liu, author of DNS and BIND Cookbook and a vice president at DNS vendor Infoblox, told InternetNews.com. "NXDOMAIN responses are sent to indicate that the domain name being looked up doesn't exist. So, basically, a hacker could falsely claim that a domain name didn't exist, even though the zone that contained the domain name was signed using DNSSEC."
Liu added that the actual vulnerability in BIND has been assessed as low severity by the ISC, and that all network administrators need to do to protect themselves is to upgrade to the latest version of BIND.
DNSSEC is still not yet widely deployed across the Internet, though that is likely to change by 2011 as the .com and .net Top Level Domains (TLDs) are digitally signed for DNSSEC.
While DNSSEC's recently reported vulnerabilities might undermine the confidence that some network administrators have in the technology, Liu doesn't see an issue.
"First, this isn't a problem with DNSSEC -- the standard -- but the implementation of DNSSEC in BIND," Liu said. "And it seems natural that when adding DNSSEC support to BIND, ISC would miss some corner cases. That's what this is: A corner case."
Even if other DNSSEC-related issues are discovered in the future, network administrators shouldn't need to worry too much, Liu said.
"I don't expect any, but on the other hand, I wouldn't be surprised if another implementation flaw was found in BIND's DNSSEC implementation or in another name server with DNSSEC support," Liu said. "And no, I don't think DNS administrators should worry about them. Both this vulnerability and the previous were found (by the good guys) before any exploits existed. That's how we'd like open source to work."