Port 53 Wars: Security of the Domain Name System and Thinking About DNSSEC

Abstract

Correct functioning of the domain name system (DNS) is key to the security and usability of virtually all network applications, yet many Internet2-connected sites have easily identified and exploited DNS-related vulnerabilities. In some cases those DNS-related issues may affect only the security and network usability of local users (which is bad enough), but in other cases local vulnerabilities may be remotely exploitable to attack other sites with potentially devastating consequences. In either case, DNS-related vulnerabilities deserve your attention and prompt corrective action. This session will highlight a number of those issues, and explain how you can check your site for the presence of vulnerabilities and what steps you can take to correct those issues.

Beyond identifying and discussing DNS-related security issues which need immediate attention, we will also discuss DNSSEC. While DNSSEC has had a slow rate of adoption to date, FISMA will soon mandate DNSSEC deployment for federal agencies, and many institutions of higher education may also want to begin evaluating deployment of DNSSEC for their institutions. What are the current DNSSEC-related issues? Why have the dot-com's been slow to adopt DNSSEC? What pieces are ready to go and what's still missing?