Permanent fix needed for DNS security issues, Kaminsky warns

20.02.2009
Seven months after the disclosure of a that was discovered by security researcher , industrywide efforts to address the DNS problem have made considerable headway, according to Kaminsky.

Even so, Kaminsky - who works at security services firm - said this week that the time may have come for IT vendors and users to consider broad adoption of the offered by , or DNSSEC, technology.

DNSSEC is designed to make the Internet safer by providing a better method of authenticating and protecting DNS data from - such as the one Kaminsky found - and other security threats. The technology is being vigorously pushed by the federal government on its networks, but many companies have been hesitant about deploying DNSSEC because of its complexity - which includes requiring changes to the DNS protocol itself.

"DNSSEC as an implementation issue remains terrifying," Kaminsky said in an interview after speaking at the here. "There are so many things administrators are supposed to do." As a result, many aren't even trying - leading to a very low adoption rate, he said.

Nevertheless, Kaminsky contended that the make a strong case for adopting DNSSEC. What the security industry needs to focus on now, he added, is making DNSSEC no harder to implement than deploying the so-called fixes for the DNS cache-poisoning flaw was.

"I'm not saying source port randomization was easy," he noted. But once the fixes were implemented, systems administrators didn't have to do anything else to protect their DNS servers against the cache-poisoning flaw, according to Kaminsky. "Once you did it," he said, "you were done."