IETF ponders DNS threat to Internet

The Internet Engineering Task Force is considering how to respond to the threat posed by the Kaminsky flaw, discovered earlier this year.

The IETF, meeting this week in Minneapolis, is currently weighing up two options: tweaking DNS to make it more secure or wholesale adoption of emerging standard DNSSEC.

In July, security researcher Dan Kaminsky discovered a bug that allows for cache poisoning attacks, where a hacker redirects traffic from a legitimate website to a fake one. With DNSSEC, the IETF already has a solution to the Kaminsky problem. The problem is that DNSSEC prevents these attacks only when it is fully deployed across the Internet and deployment has been very slow.

That's why some IETF participants are urging immediate action to address the Kaminsky bug, while others are hoping to use the publicity to promote DNSSEC deployment. "The open question is whether there are other measures we can take to improve forgery resilience, or are there changes to the DNS protocols that we should be making," explains Andrew Sullivan, co-chair of the IETF's DNS Extensions working group. The working group is split on which direction to take. "We can't tell yet which way it will go," says Olafur Gudmundsson, the other co-chair of the group.

In recent weeks, IETF participants have submitted five documents to the DNS Extensions working group with proposed changes to DNS that would prevent Kaminsky-style attacks. "We've been trying to condense the proposals down to the working group to show what each of the changes would be, how they would help the situation, what the operational costs would be and what would break as a result of the changes," Gudmundsson says. "It's too early to tell if the group is going to coalesce around one of these proposals."

One option is for the IETF to do nothing about the Kaminsky bug. Some participants at the DNS Extensions working group meeting this week referred to all of the proposals as a "hack" and argued against spending time developing one of them into a standard because it could delay DNSSEC deployment.

Other participants said it was irresponsible for the IETF to do nothing about the Kaminsky bug because large sections of the DNS will never deploy DNSSEC. "We can do the hack and it might work in the short term, but when DNSSEC gets widely used, we'll still be stuck with the hack," said IETF participant Scott Rose, a DNSSEC expert with the US National Institute for Standards and Technology (NIST).

IETF participants pointed out that DNS software packages from BIND, Nominum, Microsoft and NLnet Labs have added patches for the Kaminsky bug, and 75 percent of DNS servers have been upgraded to thwart Kaminsky-style attacks. The IETF also is putting the finishing touches on a best-practices document that outlines ways for DNS server operators to protect against spoofing attacks.

The co-chairs of the DNS Extensions working group said they hope to make a decision on whether to change the DNS protocols in light of the Kaminsky bug before the group's next meeting in March. " We want to avoid creating a long-term problem that is caused by a hasty decision," Sullivan said. "There are big reasons to be careful here. The DNS is a really old protocol and it is fundamental to the Internet. We're not talking about patching software. We're talking about patching a protocol. We want to make sure that whatever we do doesn't break the Internet."