DNS inventor Dr Paul Mockapetris believes that wide-spread adoption of improvements to security on the Internet is very close, despite delays to DNSSEC that he has labelled as baffling.
Flaws in the current DNS system, most notably the Kaminsky Vulnerability publically exposed in July 2008, have left Internet users exposed to potential attacks. DNSSEC (Domain Name System Security Extension) uses digital signatures to protect sites from attacks such as DNS cache poisoning and other false requests.
Mockapetris, now chief scientist and chairman of IP address infrastructure software provider Nominum, said the DNSSEC has been under development for 15 years. Adoption remains low, however, with only Sweden and Puerto Rico signing up to the system.
“It baffles me,” Mockapetris said of the delay. “On the one hand I’m never baffled by how long standards processes take, but 15 years sounds like a lot to me. I think we’ve lost 10 years of progress with DNS technology due to this stupid food fight around DNSSEC. We’ve been at it for 10 years, I think there’s five years of good work there.”
He said that wide-spread adoption of the standard is not far away, although he understandably did not put a timescale on it. “It’s very close. The stage we are at is that we need mass-market testing. I pat on the back anyone who is signing their DNS and trying to make all their applications understand DNSSEC. But I suspect there are still some wrinkles that need to be ironed out.”
The delays have been caused by a combination of issues. “There was the bureaucratic delay, but it was also the fact that people hadn’t really figured out what it was they wanted to secure. Some people said they didn’t want cryptographic keys stored in the DNS. I don’t know why,” Mockapetris added.
Mockapetris claims that security was not considered when he wrote DNS in the 1980s. “When I designed the original DNS protocol 25 years ago, security was intentionally left out because the community using the system was the research community and they thought the system was much too complicated and had too many features.”
He says that security was one of the elements that could be added at a later date as, “It seemed like there were all the right places to bolt it on. I’m as surprised as anyone that it has taken 25 years for us to get round to it.”
Mockapetris said security should be quite simple. “In my view, the best security system I can think of is a car door lock. Everyone knows an expert can defeat it, but what it does is allow us drive our cars and leave them where we want and they’ll probably be there when we get back. We know the security isn’t perfect but it works and you can understand it.”
“One of the problems in the security industry is that people don’t know what is being offered,” he added.