5 years after major DNS flaw is discovered, few US companies have deployed long-term fix

Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat.

In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.

While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks.

[ SCHOOL DAYS: 10 top colleges for tech CEOs ]

Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is miniscule.

Recent surveys conducted by DNS vendor Secure64 show little deployment of DNSSEC:

  • None of the top 100 major U.S. e-commerce companies tested by Secure64 was using digital signatures to sign their zones, nor were any of these organizations validating DNSSEC queries. Although popular top-level domains including .com are signed, none of the 100 e-retailers tested including Amazon.com had established a chain of trust, or verified electronic signatures, at each DNS lookup node.
  • One out of 384 worldwide financial services companies tested by Secure64 was signing its zone, and none had established a chain of trust. The financial services firm that showed signs of DNSSEC deployment was the quasi-federal organization Sallie Mae.

"For whatever reason, the importance of securing their DNS has not raised itself up to a high enough level of priority for these organizations," says Mark Beckett, vice president of marketing for Secure64. "Perhaps they don't know there is a hole in the DNS and that if it is attacked, their customers could have their personal or financial information compromised."

A similar survey conducted weekly by the National Institute of Standards and Technology indicates that only 10 out of more than 1,000 U.S. industry websites have fully deployed DNSSEC. DNSSEC pioneers include Comcast, Data Mountain Solutions, Infoblox, PayPal and Sprint. Another nine websites -- including those operated by Dyncorp, Simon Property Group and Juniper Networks -- demonstrated partial deployment of DNSSEC in the NIST survey.

"The tools and other functions are there to do [DNSSEC]," says Chris Griffiths, director of high-speed Internet engineering at Comcast, which deployed DNSSEC a year ago. "I know that other folks are looking at it. ... In general, people are in the planning stages and at this point they probably need to move that along."

Companies that show no signs of deploying DNSSEC read like a Who's Who of American Industry: Fifth Third Bancorp, Bank of America, Cardinal Health, Charles Schwab, Delta Air Lines, Disney, eBay, Target, WellPoint and Wells Fargo. Even high-tech leaders such as Apple, Cisco, Google, IBM and Symantec haven't deployed DNSSEC yet, the NIST survey shows.

"There are lots of products and services available that make DNSSEC deployment easy. I don't think that's the barrier," Beckett says. "Companies only have so much money to work on security initiatives. This is not the top one that people are focused on."

Universities, which are often at the cutting edge of network technology, are similarly slow at deploying DNSSEC. Of 346 university domains monitored by NIST, only 17 have fully deployed DNSSEC. Leaders include Bucknell University, University of California Berkeley and Indiana University. Laggards include Harvard University, Yale University and Princeton University.

The only sector in the United States that is deploying DNSSEC is the federal government, which is required by law to do so. Federal agencies were under a mandate from the Office of Management and Budget to have supported DNSSEC by Dec. 31, 2009.

Recent surveys show the majority of U.S. federal agencies have met that mandate:

  • Secure64 found that 65% of the 359 agencies it tested were signing their domains and that 80% of these organizations had fully deployed DNSSEC standards.
  • Similarly, NIST found that 76% of the 1,396 U.S. government domains tested had operational DNSSEC, and another 5% were in progress of deploying this standard.

"We've helped government agencies deploy DNSSEC in a matter of weeks, once the decision of vendor is made," Beckett says. "I'm hopeful that at least within the banking sector some of the major banks will cross this threshold in 2013 and will have deployed DNSSEC by January 2014."

Comcast says it has experienced few technical problems with its DNSSEC deployment, which covers all of its residential customers.

"Within our online forums and other public places and in the DNSSEC community, we've received very positive reviews of our DNSSEC service and the lack of issues associated with it," Griffiths says. "It's been well received within the DNSSEC community and our customer base."

However, Griffiths notes that while Comcast's residential customers are protected by DNSSEC, few of its small or midsize business customers are asking for the add-on security measure.

"We're certainly investigating products and services to support that," Griffiths says. "We want to roll out something that ... adds automation to help them roll this out themselves, so they are getting the benefit of using our DNS cache resolvers but are signing their own domains."

Griffiths says he sees momentum for DNSSEC among top-level domains; for example, Canada in January began signing its .ca top-level domain. But he expects it to take several years before DNSSEC is widely deployed by U.S. corporations.

"I absolutely expect banks, other companies and ISPs to take advantage of it," Griffiths says. "It takes time and planning, and I would expect it to roll out slowly. ... We've proven that DNSSEC can be rolled out at scale, and we hope people will follow our lead."

[ MORE: 6 signs that the U.S. is overtaking the world at IPv6 ]

One barrier to DNSSEC deployment is that it is extremely difficult for content delivery networks (CDNs) to sign data dynamically as is required by the standard. That's why popular CDNs such as Akamai and Limelight haven't fully deployed DNSSEC yet.

Consider the case of Akamai, which carries between 15% and 30% of all Web traffic and supports 20 top global e-commerce sites, 30 top media companies and 8 of the top 10 U.S. banks. Akamai offers DNSSEC support on its Enhanced DNS Service, but it has been working for several years to figure out how to support the emerging security standard on its core content delivery service.

"For our DNS mapping service, we have end users coming from all over the world to 150,000 servers. That's a pretty sizeable and interesting DNS file," explains Andy Ellis, chief security officer of Akamai. "The way that DNSSEC was written was that DNS was a static file. Most organizations have a small zone file that doesn't change more than once a month. ... The DNS file that we use has roughly 3.2 billion [resource records] to give out and sign, and we change them every 20 seconds. ... For us, we're getting into really gross numbers, and we're working on ways to improve that."

Ellis concedes that "DNSSEC is important to do" but says that few of Akamai's corporate clients are asking for it or are interested in verifying their DNS traffic at this point in time. "What we see catching a lot more steam is the migration to [Secure Sockets Layer], which is still not perfect but it is a significant step in improving security," Ellis says.

The only segment of Akamai customers asking for DNSSEC is federal agencies, Ellis says.

"The e-commerce sites don't care much because they have a huge [worry] about denial-of-service attacks," Ellis says. "Financial services firms are very concerned about failure. They are very concerned about a bad client deployment of DNSSEC that would cause them to go dark. So they are putting in enhanced validation with SSL."

Ellis says U.S. companies responded to the disclosure of the Kaminsky flaw by patching their DNS software with easy workarounds rather than taking the time to deploy DNSSEC, which is a more complete but also a more complex solution.

"I don't think the Kaminsky flaw is that big of an issue right now," Ellis says. "DNSSEC doesn't solve the problems that are very real to [U.S. companies] ... like rolling denial of service attacks and phishing-based fraud. That's where we see a lot more of their time and energy being spent."

Read more about lan and wan in Network World's LAN & WAN section.

Tags DNSSECDNS securitydomain name systemLAN & WANDan KaminskySecure64Kaminsky bug

Show Comments