Pwnability
Posted on | August 15, 2008
A security flaw that threatens the Internet’s DNS structure can be fixed, but bureaucracy stands in the way:
If the complicated politics of internet governance continue to get in the way of upgrading the security of the net’s core technology, the internet could turn into a carnival house of mirrors, where no URL or e-mail address could be trusted to be genuine, according to Bill Woodcock, research director at the nonprofit Packet Clearing House.
“The National Telecommunications and Information Administration, an agency of the Department of Commerce, is the show-stopper here,” Woodcock said.
At issue is the trustworthiness of the domain name system, or DNS, which serves as the internet’s phone book, translating queries such as wikipedia.org into the numeric IP address where the site’s server lives…
Kaminsky quietly worked with large tech companies to build patches for the net’s name servers to make the attack more difficult. But security experts, and even the NTIA, say those patches are just temporary fixes; the only known complete fix is DNSSEC — a set of security extensions for name servers…
But because DNS servers work in a giant hierarchy, deploying DNSSEC successfully also requires having someone trustworthy sign the so-called “root file” with a public-private key. Otherwise, an attacker can undermine the entire system at the root level, like cutting down a tree at the trunk. That’s where the politics comes in. The DNS root is controlled by the Commerce Department’s NTIA, which thus far has refused to implement DNSSEC…
